On July 19, 2023, CheckPoint Research released its findings on a new malware known as BundleBot. The report comes after CheckPoint keeping a close eye on this new threat and investigating it for several months.
This new, unknown stealer-bot spreads rapidly under the radar, mainly through Facebook ads. It uses self-contained, single-file bundles to breach computers. Here’s how BundleBot works and how to stay safe.
How BundleBot infects computers and steals data
While BundleBot spreads primarily through Facebook Ads, other forms of delivery should not be excluded. As a trojan, this malware hides its true identity by mimicking known websites to trick users into downloading apps or software. While its technique is sophisticated and it is extremely dangerous, BundleBot can only infect computers and devices when the user engages with it.
The main goal of BundleBot is to steal data, focusing strongly on credentials and financial information. Once it has breached a computer, it can also cause other problems, including system slowdowns, settings and program changes, and crashes. BundleBot works in the background without the victims’ knowledge, gathering and stealing sensitive data. It can also connect a device to an attacker and steal passwords, which it uses to breach accounts and continue spreading.
Here is a step-by-step breakdown of how BundleBot works:
- Users see an ad online, usually on Facebook. The ad promotes known apps and games such as Google AI, PDF Reader, Canva, Smart Miner, and Super Mario 3D World.
- When users click on the ad, they are directed to a malicious site. This malicious site looks legitimate and offers users a chance to download a known app, game, or software. In reality, these users are downloading BundleBot.
- Once users download the fake software, things get complicated. Initially, a RAR archive (compressed file that includes several files) is downloaded to the computer.
- Inside the RAR archive, a self-contained single file (dotnet bundle) is hidden. This file self-executes and triggers the download of another compressed file that contains several files in the form of a ZIP file. The ZIP file extraction kicks in, and BundleBot breaches the device.
- Without users’ knowledge, the malware will start looking for sensitive data to steal and may begin changing programs or settings.
How to protect yourself from BundleBot malware
There are several ways to remove malware like BundleBot. However, the most effective way to stay safe is prevention. Good online practices, such as keeping your computer up to date, not downloading files from websites you do not trust, and avoiding clicking on online ads, will prevent the infection from happening.
That said, a trusted and effective anti-malware software adds a layer of security. Anti-malware solutions can provide valuable security warnings and even flag and remove malware before they cause real damage. Additionally, browser privacy and security settings can alert users if a site is dangerous.
You can turn on warnings for malicious sites on your Mac by opening Safari and navigating to Settings, then Security. There you should enable the option “Warn when visiting a fraudulent website.”
While numerous malware, scams, and frauds spread through Facebook ads, few combine as many cybercrime techniques as BundleBot. By using phishing, mimicking sites, fake ads, and complex, self-contained files to breach computers, this dangerous threat can steal information, give control to attackers, and be used to launch attacks and ransomware campaigns. To stay safe, always use anti-malware software and maintain good digital practices online.
