Threat Actor Spreads Malware via Fraudulent ChatGPT social media page
In November 2022, OpenAI launched ChatGPT, which quickly became one of the most rapidly growing AI tools, attracting over 100 million users. The release of ChatGPT generated a lot of buzz because of its impressive capabilities. With access to vast amounts of data, ChatGPT can answer a wide range of questions and assist users in increasing their productivity. Its popularity and usefulness have made it a popular topic of discussion.
Although ChatGPT has been widely adopted by legitimate users seeking to improve their productivity, it has also been exploited by various Threat Actors (TAs). Cyble Research and Intelligence Labs (CRIL) has identified several instances where TAs have taken advantage of ChatGPT’s popularity to distribute malware and carry out other cyber-attacks.
CRIL has detected several phishing websites that are being promoted through a fraudulent OpenAI social media page to spread various types of malware. Furthermore, several phishing sites are impersonating ChatGPT to steal credit card information.
Exploiting ChatGPT’s widespread usage, various families of Android malware are utilizing the icon and name of the ChatGPT to mislead unsuspecting users into believing they are authentic applications, ultimately leading to the theft of sensitive information from Android devices.
Social Media Page
CRIL has identified an unofficial ChatGPT social media page with a substantial following and likes, which features multiple posts about ChatGPT and other OpenAI tools. The page seems to be trying to build credibility by including a mix of content, such as videos and other unrelated posts. However, a closer look revealed that some posts on the page contain links that lead users to phishing pages that impersonate ChatGPT. These phishing pages trick users into downloading malicious files onto their machines.
The figure below shows the unofficial ChatGPT page.
The below image depicts one of the posts created by TA on the social media page. The post features a link that leads to a typosquatted domain, masquerading as the official website of ChatGPT. This can mislead users into thinking they are accessing ChatGPT’s official website and induce them to try ChatGPT for PC.
Another post on the social media page also discusses Jukebox, an AI-based tool created by OpenAI that enhances music and audio creation. However, the post also features a link that leads to another typosquatted domain, “hxxps://chat-gpt-pc.online”, as shown below.
Both typosquatted domains ultimately lead to a counterfeit OpenAI website that appears to be the genuine official website. This fake website presents users with a “DOWNLOAD FOR WINDOWS” button, which, when clicked, downloads potentially harmful executable files. The image below displays this fake OpenAI website.
When the user clicks on the “DOWNLOAD FOR WINDOWS” button on the phishing website, a compressed file named “ChatGPT-OpenAI-Pro-Full-134676745403.gz” is automatically downloaded from the URL “hxxps://rebrand.ly/qaltfnuOpenAI”.
This compressed file includes an executable file called “ChatGPT-OpenAI-Pro-Full-134676745403.exe”(sha256: 53ab0aecf4f91a7ce0c391cc6507f79f669bac033c7b3be2517406426f7f37f0), which is a stealer malware. Once the malware is executed, it can collect sensitive data without the victim’s knowledge.
Phishing Campaign:
CRIL thoroughly investigated various typosquatted domains related to OpenAI and ChatGPT and discovered that they were being utilized for phishing attacks. During our investigation, we identified that these phishing sites were also distributing several notorious malware families, including Lumma Stealer, Aurora Stealer, clipper malware, etc.
TA cloned the website of the ChatGPT and replaced the “TRY CHATGPT” button link with malicious links hosting Lumma Stealer.
The figure below shows the phishing page mimicking the official ChatGPT website.
The button labeled “TRY CHATGPT” on the phishing page is actually a download link for a file archive called “Installer_3.64_win64_86-setup+manual.zip”. Inside this archive, there is a file called “Installer_3.64_win64_86.exe”, which is actually an executable file for the Lumma stealer.
The domain hxxp://chatgpt-go.online/ also serves as a host for various types of malicious files. The clipper malware is hosted at hxxp://chatgpt-go.online/clip[.]exe, and the Aurora stealer is hosted at hxxp://chatgpt-go.online/java[.]exe.
The below image shows another phishing site, hxxps://chat-gpt-online-pc[.]com downloading a stealer malware (sha256: 60e0279b7cff89ec8bc1c892244989d73f45c6fcc3e432eaca5ae113f71f38c5).
Phishing page for Credit Card Theft
In addition to hosting stealers and malware, TAs also utilize ChatGPT and OpenAI-based lures to commit financial fraud. One common tactic involves creating fake ChatGPT-related payment pages that are designed to steal victims’ money and credit card information.
The image below displays an example of such a fraudulent ChatGPT payment page.
Android Malware
CRIL has identified over 50 fake and malicious apps that use the ChatGPT icon to carry out harmful activities. These apps belong to different malware families, such as potentially unwanted programs, adware, spyware, billing fraud, etc.
SMS Fraud Android malware impersonating ChatGPT
Application Name: ChatGPT
Package Name: com.chatgpt.ogothai
SHA256: d1b1813f7975b7117931477571a2476decff41f124b84cc7a2074dd00b5eba7c
The malware uses the name and icon of ChatGPT but has no AI functionality. The malware is the SMS fraud family, which performs billing fraud.
This particular malware checks specific network operators and subscribes to the premium services without users’ knowledge by sending an SMS to the premium number “+4761597”.
We have identified an additional five SMS fraud applications pretending to be ChatGPT and are engaged in billing fraud, resulting in victims losing their money. These fraudulent applications are designed to drain the wallets of unsuspecting individuals.
Spynote Malware Masquerading as ChatGPT
Application Name: AI photo
Package Name: cmf0.c3b5bm90zq.patch
SHA256: 3ec772d082aa20f4ff5cf01e0d1cac38b4f647ceb79fdd3ffd1aca455ae8f60b
This malware uses the icon of chatGPT and has mentioned dangerous permissions in its manifest files. A Spynote malware variant steals sensitive data such as call logs, contacts, SMSs, media files, and other data from an infected device.
Apart from the above malicious applications, PUP apps were also identified. These apps were fake, impersonating ChatGPT and displaying ads to earn revenue.
Conclusion
Threat Actors often impersonates genuine and famous entity to look legitimate and carry out malicious activities. As ChatGPT’s popularity continues to rise, it has become a target for Threat Actors launching malware and phishing attacks to target their victims. Our research has shown that these TAs are imitating ChatGPT to distribute malware on both Windows and Android platforms and launch phishing attacks.
By posing as ChatGPT, these TAs seek to deceive users into thinking that they are interacting with a legitimate and trustworthy source when in reality, they are being exposed to harmful and malicious content.
Users who fall victim to these malicious campaigns could suffer financial losses or even compromise their personal information, causing significant harm.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading files from unknown websites.
- Use a reputed anti-virus and internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
- Download and install software only from official app stores like Google Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 4e8d09ca0543a48f649fce72483777f0 cebddeb999f4809cf7fd7186e20dc0cc8b88689d d1b1813f7975b7117931477571a2476decff41f124b84cc7a2074dd00b5eba7c | MD5 SHA1 SHA256 | Hash of SMS Fraud malware |
| 174539797080a9bcbb3f32c5865700bf c57a3bcf3f71ee1afc1a08c3a5e731df6363c047 3ec772d082aa20f4ff5cf01e0d1cac38b4f647ceb79fdd3ffd1aca455ae8f60b | MD5 SHA1 SHA256 | Hash of Spynote malware |
| c8aa7a66e87a23e16ecacad6d1337dc4 aeb646eeb4205f55f5ba983b1810afb560265091 ae4d01a50294c9e6f555fe294aa537d7671fed9bc06450e6e2198021431003f9 | MD5 SHA1 SHA256 | Lumma Stealer |
| 94e3791e3ceec63a17ca1a52c4a35089 189a16b466bbebba57701109e92e285c2909e8a2 46200951190736e19be7bcc9c0f97316628acce43fcf5b370faa450e74c5921e | MD5 SHA1 SHA256 | Clipper Malware |
| 6a481f28affc30aef0d3ec6914d239e4 afa741309997ac04a63b4dd9afa9490b6c6235c1 34b88f680f93385494129bfe3188ce7a0f5934abed4bf6b8e9e78cf491b53727 | MD5 SHA1 SHA256 | Aurora Stealer |
| 81e6a150d459642f2f3641c5a4621441 23f50f990d4533491a76ba619c996b9213d25b49 53ab0aecf4f91a7ce0c391cc6507f79f669bac033c7b3be2517406426f7f37f0 | MD5 SHA1 SHA256 | Stealer |
| 5f6f387edf4dc4382f9953bd57fa4c62 f1a5a1187624fcf1a5804b9a15a4734d9da5aaf6 60e0279b7cff89ec8bc1c892244989d73f45c6fcc3e432eaca5ae113f71f38c5 | MD5 SHA1 SHA256 | Stealer |
| hxxps://openai-pc-pro[.]online | Domain | Fake ChatGPT Website |
| hxxps://chat-gpt-pc[.]online | Domain | Fake ChatGPT Website |
| hxxps://chatgpt-go[.]online | Domain | Fake ChatGPT Website |
| hxxp://chatgpt-go.online/clip[.]exe | URL | Clipper |
| hxxp://chatgpt-go.online/java[.]exe | URL | Aurora |
| hxxps://rebrand[.]ly/qaltfnuChatGPTOpenAI | URL | Stealer |
