A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of .NET single-file deployment techniques, enabling threat actors to capture sensitive information from compromised hosts.
“BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all,” Check Point said in a report published this week, adding it is “commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games.”
Some of these websites aim to mimic Google Bard, the company’s conversational generative artificial intelligence chatbot, enticing victims into downloading a bogus RAR archive (“Google_AI.rar”) hosted on legitimate cloud storage services such as Dropbox.
The archive file, when unpacked, contains an executable file (“GoogleAI.exe”), which is the .NET single-file, self-contained application (“GoogleAI.exe”) that, in turn, incorporates a DLL file (“GoogleAI.dll”), whose responsibility is to fetch a password-protected ZIP archive from Google Drive.
The extracted content of the ZIP file (“ADSNEW-188.8.131.52.zip”) is another .NET single-file, self-contained application (“RiotClientServices.exe”) that incorporates the BundleBot payload (“RiotClientServices.dll”) and a command-and-control (C2) packet data serializer (“LirarySharing.dll”).
images from Hacker News