Infostealer BundleBot pretends to be Google Bard and steals Facebook user data*

A new type of malware called BundleBot operates as stealthily as possible on the victim’s system using single-file deployment techniques. .NETwhich allow attackers to quietly intercept confidential information from infected computers.

According to the company check point in his recent report “BundleBot abuses stand-alone single-file .NET bundles that result in very low or no static detection.”

It is noted that malware is usually distributed through advertising banners or posts from hacked accounts. Facebook *, leading to various sites offering to download and install the most common utility programs, artificial intelligence tools, as well as simple games.

Some of these sites try to imitate Google bardGoogle’s generative chatbot, in order to entice victims to download a malicious RAR archive called “Google_AI.rar” hosted on legitimate cloud storage sites such as Dropbox.

The archive file contains within it the executable file “GoogleAI.exe”, which is a single-file standalone .NET application. This file contains DLL– a library called “GoogleAI.dll”, which is responsible for downloading a password-protected ZIP archive from intruders’ Google Drive.

The downloaded archive “ADSNEW-1.0.0.3.zip” contains another single-file, self-contained .NET application called “RiotClientServices.exe”, which already includes the payload of the BundleBot itself (“RiotClientServices.dll”) and C2-data serializer (“LirarySharing.dll”).

One of the analyzed BundleBot instances used TCP– a protocol for uploading data directly into the clutches of intruders, however, Check Point specialists also found a second sample that uses already HTTPS.

Binary artifacts use their own obfuscation and junk code in an attempt to resist analysis and have the ability to download data from web browsers, take screenshots, receive Discord– tokens, information from Telegram and Facebook account data.

“The method of delivery through Facebook ads and infected accounts is something that attackers have been abusing for a long time, but combining this with the possibility of stealing information from the victim’s Facebook account, you can create a cunning offline scheme,” Check Point noted.

Apparently, the considered malicious operation is part of a larger campaign, which we just told yesterday . Hackers have created many phishing traps of every taste and color in order to gain the attention of their victims and infect their computer with dangerous malware.

* The Meta company and its products (Instagram and Facebook) are recognized as extremist, their activities are prohibited on the territory of the Russian Federation.