Security News > 2023 > July > Sophisticated BundleBot Malware Disguised as Google AI Chatbot and Utilities

"BundleBot is abusing the dotnet bundle, self-contained format that results in very low or no static detection at all," Check Point said in a report published this week, adding it is "Commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games."

NET single-file, self-contained application that, in turn, incorporates a DLL file, whose responsibility is to fetch a password-protected ZIP archive from Google Drive.

"The delivering method via Facebook Ads and compromised accounts is something that has been abused by threat actors for a while, still combining it with one of the capabilities of the revealed malware could serve as a tricky self-feeding routine," the company noted.

The development comes as Malwarebytes uncovered a new campaign that employs sponsored posts and compromised verified accounts that impersonate Facebook Ads Manager to entice users into downloading rogue Google Chrome extensions that are designed to steal Facebook login information.

Users who click on the embedded link are prompted to download a RAR archive file containing an MSI installer file that, for its part, launches a batch script to spawn a new Google Chrome window with the malicious extension loaded using the "-load-extension" flag -.

"That custom extension is cleverly disguised as Google Translate and is considered 'Unpacked' because it was loaded from the local computer, rather than the Chrome Web Store," Jérôme Segura, director of threat intelligence at Malwarebytes, explained, noting it is "Entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts."

News URL

https://thehackernews.com/2023/07/sophisticated-bundlebot-malware.html