BundleBot Malware
A threatening malware variant called BundleBot has been operating covertly, evading detection by leveraging .NET single-file deployment techniques. This method allows threat actors to capture sensitive information from compromised hosts stealthily.
BundleBot is known for exploiting the dotnet bundle (single-file) self-contained format, which makes it challenging for security systems to detect. This results in very low or even zero static detection, allowing the malware to remain undetected for prolonged periods on the compromised devices.
According to cybersecurity experts' findings, the distribution of BundleBot commonly occurs through Facebook Ads and compromised accounts, leading unsuspecting users to websites that masquerade as regular program utilities, AI tools, and games. Once users access these deceptive websites, they unknowingly trigger the download and execution of the malware, putting their systems and sensitive data at risk.
Table of Contents
Cybercriminals Take Advantage of Popular AI Tools as Phishing Lures
The websites connected to the BundleBot Malware attacks have adopted the tactic of imitating Google Bard, a prominent conversational generative AI chatbot developed by the company. These deceptive websites lure unsuspecting victims by offering a seemingly enticing download link for a RAR archive named 'Google_AI.rar.' Notably, these fraudulent archives are hosted on legitimate cloud storage services like Dropbox.
The use of Google Bard as a lure is not something new, considering the increasing popularity of AI tools. Cybercriminals have taken advantage of this trend in recent months to deceive users, particularly on platforms like Facebook. They employ this strategy to stealthily distribute various types of information-collecting malware, such as the notorious Doenerium.
The distribution of these unsafe links often occurs through Facebook Ads and compromised user accounts. This method has been persistently exploited by threat actors for some time. By combining this distribution tactic with the malware's ability to pilfer a victim's Facebook account information, cybercriminals create a self-sustaining cycle that feeds into their harmful activities.
The Infection Chain of the BundleBot Malware Threat
Upon unpacking the 'Google_AI.rar' archive, users will find an executable file named 'GoogleAI.exe,' which is a .NET single-file, self-contained application. In turn, this application further incorporates a DLL file called 'GoogleAI.dll,' responsible for fetching a password-protected ZIP archive from Google Drive.
In the next stage, the contents extracted from the ZIP file called 'ADSNEW-1.0.0.3.zip' reveal another .NET single-file, self-contained application known as 'RiotClientServices.exe.' This application carries the BundleBot payload 'RiotClientServices.dll,' as well as a Command-and-Control (C2) packet data serializer named 'LirarySharing.dll.'
Once activated, the BundleBot Malware functions as a custom and novel stealer/bot. It utilizes the 'LirarySharing.dll' library to process and serialize the packet data transmitted during the bot's communication with the C2 server. To evade analysis, the binary artifacts utilize custom-made obfuscation techniques and include a significant amount of junk code.
The BundleBot Malware Has Threatening Intrusive Functionalities
The capabilities of the malware are alarming. It can stealthily extract data from Web browsers, capture screenshots, acquire Discord tokens, gather information from Telegram, and harvest Facebook account details. The malware operates as a sophisticated data-stealing bot, compromising sensitive information from various sources without the user's knowledge.
Interestingly, there is a second sample of BundleBot, almost identical in all aspects except for one key difference. This variant leverages HTTPS to exfiltrate the stolen information to a remote server. The stolen data is exfiltrated as a ZIP archive, allowing the attackers to discreetly transfer the victim's information without raising suspicion.
