The captured data is subsequently sent using the Google Analytics API to get around content security policies ( CSPs) put in place to mitigate cross-site scripting (XSS) and data injection attacks. "That custom extension is cleverly disguised as Google Translate and is considered 'Unpacked' because it was loaded from the local computer, rather than the Chrome Web Store," Jérôme Segura, director of threat intelligence at Malwarebytes, explained, noting it is "entirely focused on Facebook and grabbing important pieces of information that could allow an attacker to log into accounts." Start chrome.exe -load-extension="%~dp0/nmmhkkegccagdldgiimedpiccmgmiedagg4" "" Users who click on the embedded link are prompted to download a RAR archive file containing an MSI installer file that, for its part, launches a batch script to spawn a new Google Chrome window with the malicious extension loaded using the "-load-extension" flag. The development comes as Malwarebytes uncovered a new campaign that employs sponsored posts and compromised verified accounts that impersonate Facebook Ads Manager to entice users into downloading rogue Google Chrome extensions that are designed to steal Facebook login information. "The delivering method via Facebook Ads and compromised accounts is something that has been abused by threat actors for a while, still combining it with one of the capabilities of the revealed malware (to steal a victim's Facebook account information) could serve as a tricky self-feeding routine," the company noted. The use of Google Bard lures should come as no surprise, given that the popularity of such AI tools have been capitalized by cybercriminals in recent months to deceive users on platforms like Facebook to unknowingly download a variety of info-stealing malware such as Doenerium. The binary artifacts employ custom-made obfuscation and junk code in a bid to resist analysis, and come with capabilities to siphon data from web browsers, capture screenshots, grab Discord tokens, information from Telegram, and Facebook account details.Ĭheck Point said it also detected a second BundleBot sample that's virtually identical in all aspects barring the use of HTTPS to exfiltrate the information to a remote server in the form of a ZIP archive. "The assembly RiotClientServices.dll is a custom, new stealer/bot that uses the library LirarySharing.dll to process and serialize the packet data that are being sent to C2 as a part of the bot communication," the Israeli cybersecurity company said. NET single-file, self-contained application ("RiotClientServices.exe") that incorporates the BundleBot payload ("RiotClientServices.dll") and a command-and-control (C2) packet data serializer ("LirarySharing.dll"). The extracted content of the ZIP file ("ADSNEW-1.0.0.3.zip") is another. NET single-file, self-contained application ("GoogleAI.exe") that, in turn, incorporates a DLL file ("GoogleAI.dll"), whose responsibility is to fetch a password-protected ZIP archive from Google Drive. The archive file, when unpacked, contains an executable file ("GoogleAI.exe"), which is the. Some of these websites aim to mimic Google Bard, the company's conversational generative artificial intelligence chatbot, enticing victims into downloading a bogus RAR archive ("Google_AI.rar") hosted on legitimate cloud storage services such as Dropbox. "BundleBot is abusing the dotnet bundle (single-file), self-contained format that results in very low or no static detection at all," Check Point said in a report published this week, adding it is "commonly distributed via Facebook Ads and compromised accounts leading to websites masquerading as regular program utilities, AI tools, and games." NET single-file deployment techniques, enabling threat actors to capture sensitive information from compromised hosts. A new malware strain known as BundleBot has been stealthily operating under the radar by taking advantage of.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |