Threat Actor Spreads Malware via Fraudulent ChatGPT social media page
In November 2022, OpenAI launched ChatGPT, which quickly became one of the most rapidly growing AI tools, attracting over 100 million users. The release of ChatGPT generated a lot of buzz because of its impressive capabilities. With access to vast amounts of data, ChatGPT can answer a wide range of questions and assist users in increasing their productivity. Its popularity and usefulness have made it a popular topic of discussion.
Although ChatGPT has been widely adopted by legitimate users seeking to improve their productivity, it has also been exploited by various Threat Actors (TAs). Cyble Research and Intelligence Labs (CRIL) has identified several instances where TAs have taken advantage of ChatGPT’s popularity to distribute malware and carry out other cyber-attacks.
CRIL has detected several phishing websites that are being promoted through a fraudulent OpenAI social media page to spread various types of malware. Furthermore, several phishing sites are impersonating ChatGPT to steal credit card information.
Exploiting ChatGPT’s widespread usage, various families of Android malware are utilizing the icon and name of the ChatGPT to mislead unsuspecting users into believing they are authentic applications, ultimately leading to the theft of sensitive information from Android devices.
Social Media Page
CRIL has identified an unofficial ChatGPT social media page with a substantial following and likes, which features multiple posts about ChatGPT and other OpenAI tools. The page seems to be trying to build credibility by including a mix of content, such as videos and other unrelated posts. However, a closer look revealed that some posts on the page contain links that lead users to phishing pages that impersonate ChatGPT. These phishing pages trick users into downloading malicious files onto their machines.
The figure below shows the unofficial ChatGPT page.
The below image depicts one of the posts created by TA on the social media page. The post features a link that leads to a typosquatted domain, masquerading as the official website of ChatGPT. This can mislead users into thinking they are accessing ChatGPT’s official website and induce them to try ChatGPT for PC.
Another post on the social media page also discusses Jukebox, an AI-based tool created by OpenAI that enhances music and audio creation. However, the post also features a link that leads to another typosquatted domain, “hxxps://chat-gpt-pc.online”, as shown below.
Both typosquatted domains ultimately lead to a counterfeit OpenAI website that appears to be the genuine official website. This fake website presents users with a “DOWNLOAD FOR WINDOWS” button, which, when clicked, downloads potentially harmful executable files. The image below displays this fake OpenAI website.
When the user clicks on the “DOWNLOAD FOR WINDOWS” button on the phishing website, a compressed file named “ChatGPT-OpenAI-Pro-Full-134676745403.gz” is automatically downloaded from the URL “hxxps://rebrand.ly/qaltfnuOpenAI”.
This compressed file includes an executable file called “ChatGPT-OpenAI-Pro-Full-134676745403.exe”(sha256: 53ab0aecf4f91a7ce0c391cc6507f79f669bac033c7b3be2517406426f7f37f0), which is a stealer malware. Once the malware is executed, it can collect sensitive data without the victim’s knowledge.
CRIL thoroughly investigated various typosquatted domains related to OpenAI and ChatGPT and discovered that they were being utilized for phishing attacks. During our investigation, we identified that these phishing sites were also distributing several notorious malware families, including Lumma Stealer, Aurora Stealer, clipper malware, etc.
TA cloned the website of the ChatGPT and replaced the “TRY CHATGPT” button link with malicious links hosting Lumma Stealer.
The figure below shows the phishing page mimicking the official ChatGPT website.
The button labeled “TRY CHATGPT” on the phishing page is actually a download link for a file archive called “Installer_3.64_win64_86-setup+manual.zip”. Inside this archive, there is a file called “Installer_3.64_win64_86.exe”, which is actually an executable file for the Lumma stealer.
The domain hxxp://chatgpt-go.online/ also serves as a host for various types of malicious files. The clipper malware is hosted at hxxp://chatgpt-go.online/clip[.]exe, and the Aurora stealer is hosted at hxxp://chatgpt-go.online/java[.]exe.
The below image shows another phishing site, hxxps://chat-gpt-online-pc[.]com downloading a stealer malware (sha256: 60e0279b7cff89ec8bc1c892244989d73f45c6fcc3e432eaca5ae113f71f38c5).
Phishing page for Credit Card Theft
In addition to hosting stealers and malware, TAs also utilize ChatGPT and OpenAI-based lures to commit financial fraud. One common tactic involves creating fake ChatGPT-related payment pages that are designed to steal victims’ money and credit card information.
The image below displays an example of such a fraudulent ChatGPT payment page.
CRIL has identified over 50 fake and malicious apps that use the ChatGPT icon to carry out harmful activities. These apps belong to different malware families, such as potentially unwanted programs, adware, spyware, billing fraud, etc.
SMS Fraud Android malware impersonating ChatGPT
Application Name: ChatGPT
Package Name: com.chatgpt.ogothai
The malware uses the name and icon of ChatGPT but has no AI functionality. The malware is the SMS fraud family, which performs billing fraud.
This particular malware checks specific network operators and subscribes to the premium services without users’ knowledge by sending an SMS to the premium number “+4761597”.
We have identified an additional five SMS fraud applications pretending to be ChatGPT and are engaged in billing fraud, resulting in victims losing their money. These fraudulent applications are designed to drain the wallets of unsuspecting individuals.
Spynote Malware Masquerading as ChatGPT
Application Name: AI photo
Package Name: cmf0.c3b5bm90zq.patch
This malware uses the icon of chatGPT and has mentioned dangerous permissions in its manifest files. A Spynote malware variant steals sensitive data such as call logs, contacts, SMSs, media files, and other data from an infected device.
Apart from the above malicious applications, PUP apps were also identified. These apps were fake, impersonating ChatGPT and displaying ads to earn revenue.
Threat Actors often impersonates genuine and famous entity to look legitimate and carry out malicious activities. As ChatGPT’s popularity continues to rise, it has become a target for Threat Actors launching malware and phishing attacks to target their victims. Our research has shown that these TAs are imitating ChatGPT to distribute malware on both Windows and Android platforms and launch phishing attacks.
By posing as ChatGPT, these TAs seek to deceive users into thinking that they are interacting with a legitimate and trustworthy source when in reality, they are being exposed to harmful and malicious content.
Users who fall victim to these malicious campaigns could suffer financial losses or even compromise their personal information, causing significant harm.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading files from unknown websites.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
Indicators of Compromise (IOCs)
|Hash of SMS Fraud malware|
|Hash of Spynote malware|
|hxxps://openai-pc-pro[.]online||Domain||Fake ChatGPT Website|
|hxxps://chat-gpt-pc[.]online||Domain||Fake ChatGPT Website|
|hxxps://chatgpt-go[.]online||Domain||Fake ChatGPT Website|