The cybersecurity landscape has been recently shaken by the emergence of BundleBot, a sophisticated malware strain that leverages advanced .
NET file development techniques to facilitate the unauthorized extraction of sensitive information from compromised computers.
BundleBot malware
Certain sites impersonate Google Assistant, tricking victims into downloading a fake RAR file (“Google_AI.rar”) from legitimate cloud storage like Dropbox.
Once unzipped, it contains an executable file (“GoogleAI.exe”), which is a self-contained .NET app that embeds a DLL (“GoogleAI.dll”) responsible for retrieving a password-protected ZIP from Google Drive.
Discovered by Check Point, the BundleBot malware utilizes custom-made obfuscation and junk code to evade analysis successfully. This advanced threat possesses a wide array of capabilities, including data theft from web browsers, screenshot capture, Discord token acquisition, and the gathering of sensitive information from Telegram and Facebook accounts.
Additionally, Check Point found a similar sample that adopts HTTPS to exfiltrate data in the form of a ZIP archive to a remote server.
Another campaign recently discovered by Malwarebytes employs sponsored posts and compromised verified accounts to deceive users into downloading malicious Google Chrome extensions.
These rogue extensions are specifically crafted to pilfer Facebook login credentials. Disguised as a seemingly harmless Google Translate extension, their primary function is to gather sensitive data exclusively from Facebook accounts. To evade content security policies, the collected data is then transmitted through the Google Analytics API.
IOCS:
According to Check Point, the IOCs (Indicators of Compromise) associated with the threat are as follows
| Name | Hash SHA-256 | Description |
| Google_AI.rar | dfa9f39ab29405475e3d110d9ac0cc21885760d07716595104db5e9e055c92a6 | RAR Archive containing Downloader stage |
| ADSNEW-1.0.0.3.zip | 303c6d0cea77ae6343dda76ceabaefdd03cc80bd6e041d2b931e7f6d59ca3ef6 | Pass-protected ZIP archive containing BundleBot stage (pass:alex14206985alexjyjyjj) |
| Bot_Server6_1.0.0.3.zip | 90b37f26d7574a23437a2f0ad75d3cce5ecf3928efb58beacedde289fd3568bf | Pass-protected ZIP archive containing BundleBot stage (pass:alex14206985alexjyjyjj) |
| ADS_1.0.0.3.zip | af92d0545ce01e5dcbe228a43babe6281a1631836e5631286908c7f0aa225f3d | Pass-protected ZIP archive containing BundleBot stage (pass:alex14206985alexjyjyjj) |
| FB_1.0.0.3.zip | 25c0f65acb3ecfe435a39bed3f5013eadd85eca1e78a0dc754cb4b82389ee4bb | Pass-protected ZIP archive containing BundleBot stage (pass:alex14206985alexjyjyjj) |
| COIN_1.0.0.4.zip | a99dbc0cb0a051ec68bd89c468fd589b201380f47330bdedbb69f9b076099711 | Pass-protected ZIP archive containing BundleBot stage (pass:alex14206985alexjyjyjj) |
| Coin_1.0.0.0.zip | b47ac379cc23a059e1aaaba351f528c5a955fd56da35928c0bc0043c4ab8b38a | Pass-protected ZIP archive containing BundleBot stage (pass:alex14206985alexjyjyjj) |
| RiotClientServices.zip | 3198a613574a8ab84637bf80ebe5f6a56c851aa292973515c5de856f1e958d6d | Pass-protected ZIP archive containing BundleBot stage (pass:alex14206985alexjyjyjj) |
| SubwaySub.dll | a1389d02c0b7892ffeae60b7869f3a761c2326629bd1c304839a1e8b7400744e | Downloader stage – extracted main module |
| GoogleAI.dll | 22bb60b0ea0d5bb57e105287843867880f336ddafa1545332e2de16d412cde12 | Downloader stage – extracted main module |
| PDF Reader.dll | 4b4f69b01edd2c96db6374a9d0d980f5023383d440914831301f19d1d29ae4d9 | Downloader stage – extracted main module |
| PDF.dll | bc1fceb2d6c5dc7bedfdf1790ac0f06ccf0a9777c79d831d037dff10ae4ace8f | Downloader stage – extracted main module |
| PDF.dll | d0146a3bbed91d5680c9b44c0f0e69deabe4d6c0f114e50d9fdee9cd202242fc | Downloader stage – extracted main module |
| PDF Reader.dll | 1c27a31830946ca806be10d07dc67b185d3f1e2bbc76cd5365719055966600fb | Downloader stage – extracted main module |
| Smart Miner.dll | 20b833c028322139b81e220cc165513ec2d4a490cfbd84e88e985a84d3173025 | Downloader stage – extracted main module |
| Chaturbate.dll | 0e2bb46c9cb2baa0263824f4a6725a2e4db2541eafd392f25bd9a4921a2e04f3 | Downloader stage – extracted main module |
| Mario.dll | 4c39df6e78b110e4912f3cb543130297b9b3cc3d33daa2d613999a1b991ba763 | Downloader stage – extracted main module |
| Super Mario 3D World.dll | 9b4c6dcee2848e2c23cffe1b8925ebc37d4d98a441fe6b0ff82dc788595a68be | Downloader stage – extracted main module |
| Canva.dll | 601f888abbb545b003ed37e3835237de7915874893f22ee5bb6ebc9f5db618b5 | Downloader stage – extracted main module |
| PDF.dll | 2038aa28b4e23806030f945aadcf5dbbfa2e3f7ae2b924bd987fda62f87773fc | Downloader stage – extracted main module |
| PDF.dll | cd1c00427973b7ff7bac1803d35c071ff0fdeb975c4eb5a54829bedf12c4d136 | Downloader stage – extracted main module |
| GoogleAI.exe | 5ac212ca8a5516e376e0af83788e2197690ba73c6b6bda3b646a22f0af94bf59 | Downloader stage – bundle file |
| PDF.exe | 67f24b507fe2f6dc06a294b85486cfa1dba6af188e59c51a74adc3b3f9ed29d8 | Downloader stage – bundle file |
| Chaturbate.exe | 97f777abfeada170c1caa625ffbf12b8d097ae5331f3f4c5b57dad4fc0c4f8c1 | Downloader stage – bundle file |
| Super Mario 3D World.exe | 8d1aa8ca616afc7fdf3cd6552e94fb486196d67e062adf5c97ada05b7b176985 | Downloader stage – bundle file |
| PDF.exe | 9e6175a02a129fe559f108f6dced7fb6bf66c468cfb3ca276f3621ab8c312e91 | Downloader stage – bundle file |
| PDF Reader.exe | 953e1b59b2163ddafaafe7872033ae6351a46500b575a717c853b6393d2c7ef6 | Downloader stage – bundle file |
| RiotClientServices.exe | 230e5844ac0c767baf4d5d660f9ebcd0a9dd7f5a5ec5869387f53fa3eb902aa3 | BundleBot stage – bundle file |
| RiotClientServices.exe | 26d0853adcec8b273346924e97170226abd7b800b5ee51f6768c58ac45f59d20 | BundleBot stage – bundle file |
| RiotClientServices.exe | 37a06e2e28d16096c45bfd3ef2679fe8dc722810b6f6119b7dc5f1483e66ec01 | BundleBot stage – bundle file |
| RiotClientServices.exe | 50b7447d83715b8b7b36a15d0e7c7b8ae881a56dc0f39eb1aa22604e00f97d17 | BundleBot stage – bundle file |
| RiotClientServices.exe | 6552a05a4ea87494e80d0654f872f980cf19e46b4a99d5084f9ec3938a20db91 | BundleBot stage – bundle file |
| RiotClientServices.exe | 6834be1cbde6718d153a729f2e68e3f3b21bcbcb51a9f381e98f78b7a414969f | BundleBot stage – bundle file |
| RiotClientServices.exe | bfa7b12cc68b9cd26022a4c611ceaa473c84ffe36bb8008c67c1692b968b88d8 | BundleBot stage – bundle file |
| RiotClientServices.dll | 0ba224ecc2546d0a5ccc13bc8f929ec0035ca884fce44c8aebcfec185550169c | BundleBot stage – extracted main module |
| RiotClientServices.dll | 0c5ef531c2d5be15ef2a031c381a9531db22e030b14a1c2de311c68da23fef48 | BundleBot stage – extracted main module |
| RiotClientServices.dll | 2e0492507ed4127b25e523444b205c58312902fa0bf2f5697c184049af5e4e18 | BundleBot stage – extracted main module |
| RiotClientServices.dll | 41c884718ce264195d75695252b22021680c6d5470a303f999f3f333a5eef9c9 | BundleBot stage – extracted main module |
| RiotClientServices.dll | 5beb1ce875166ec47ee7fbcd9e48c891fe0b27ccec04edf3da82bf8b3b2ea04b | BundleBot stage – extracted main module |
| RiotClientServices.dll | 84319f401994ca83d2659aef8fa5810224f4a0fef2d3ed6883a5a265d3a8c291 | BundleBot stage – extracted main module |
| RiotClientServices.dll | 9b0a6fdc188de6d80117f9f0894c456e9f541f19ba5b4ed8cfd03e86d8fb8af9 | BundleBot stage – extracted main module |
| LirarySharing.dll | 386189e521d431428157cf37b4653444f8c2116ee0a5229313012c43e5839edd | BundleBot stage – extracted data serialization library |
| LirarySharing.dll | 4856cdb407d67ee82d44e1cd606e382cde7b6bcaf9127dd7924e2d604c1cad38 | BundleBot stage – extracted data serialization library |
| LirarySharing.dll | 6632c655875279ed1c19937805416a716d9994db71c8e30d2c8b4a3a3c3f9620 | BundleBot stage – extracted data serialization library |
| LirarySharing.dll | 7a0cd3cc214b312cda20a54f7e0e93509fbcf5f6e6d9f41fd95d6dfa3bb5bcdc | BundleBot stage – extracted data serialization library |
| LirarySharing.dll | a47d68411f64887300800cbe471f3cb24047e2e352bff74b810ad1940cfff85c | BundleBot stage – extracted data serialization library |
| LirarySharing.dll | fca477e3e0fe31dfc14a4bade9828da267b6f234c343f9fb654e6921ba71bd08 | BundleBot stage – extracted data serialization library |
| Network | ||
| URL | IP Address | Description |
| https://drive.google[.]com/uc?id=1obRjbjOkXO3aCKKVa6BHKYqsROXRVmzL&export=download&confirm=t | – | URL to download BundleBot stage (embedded in downloader) |
| https://drive.google[.]com/uc?id=1-mC5c7o_B1VuS6dbQeDAAqLuPbfAV58O&export=download&confirm=t | – | URL to download BundleBot stage (embedded in downloader) |
| https://drive.google[.]com/uc?id=1f6QEiRPXZ1GKKtu-G_d_iQ448xYPGfMC&export=download&confirm=t | – | URL to download BundleBot stage (embedded in downloader) |
| https://drive.google[.]com/uc?id=1ypYJpu5pgaFRnXx64ZnCCfoGaUMYBt5E&export=download&confirm=t | – | URL to download BundleBot stage (embedded in downloader) |
| https://drive.google[.]com/uc?id=1S2G8OmhMREHS8l24hG-BmGKINxEL_DD5&export=download&confirm=t | – | URL to download BundleBot stage (embedded in downloader) |
| https://drive.google[.]com/uc?id=1Uvyx_Fj7wF9cVnq3IwIAm5-i2IROsi0R&export=download&confirm=t | – | URL to download BundleBot stage (embedded in downloader) |
| https://drive.google[.]com/uc?id=1teMU5O6VYsRjH9GVQf1V7h5ya-3Ssbkn&export=download&confirm=t | – | URL to download BundleBot stage (embedded in downloader) |
| – | 51.79.180[.]158:5505 | C2 – BundleBot TCP connection |
| – | 85.239.242[.]27:5505 | C2 – BundleBot TCP connection |
| – | 139.99.80[.]193:5505 | C2 – BundleBot TCP connection |
| – | 139.99.38[.]193:5505 | C2 – BundleBot TCP connection |
| https://cp.bemilcoin[.]io/api/cookiePc?cookie | – | C2 – BundleBot HTTPS (exfil) |
Leave A Comment