eSentire’s Threat Response Unit (TRU): The notorious threat actor BatLoader has been identified as orchestrating a malevolent campaign utilising Google search ads to distribute fraudulent web pages masquerading as ChatGPT and Midjourney.
What made them do it?
The TRU’s advisory shed light on this scheme, which exploits the immense popularity of ChatGPT and Midjourney, both lacking dedicated standalone applications. The absence of such apps has created a void that threat actors have eagerly seized upon, luring unsuspecting AI enthusiasts to counterfeit websites promoting fake applications.
Source: eSentire
eSentire further elucidated that BatLoader, in its latest impersonation of ChatGPT,
- employs MSIX Windows App Installer files to infect devices with Redline Stealer.
- This infection process involves executing an executable file and a PowerShell script, facilitating the installation and execution of Redline Stealer.
- The script initiates two requests to the command and control (C2) panel, capturing the start time and victim’s IP address, thus documenting the successful payload deployment.
What happened next?
The technique highlights BatLoader’s proficiency in exploiting legitimate application packaging formats for nefarious purposes. Notably, the threat actor has demonstrated a history of targeting individuals seeking AI tools, as evidenced by the TRU’s discovery of recently registered BatLoader domains in February 2023.
In a separate occurrence during May 2023, TRU encountered a similar infection tactic, this time involving a counterfeit page for Midjourney. Users were prompted to download a Windows Application Package signed by the deceptive entity Ashana Global Ltd.
Source:eSentire
“They appropriate Meta and Facebook’s official logos on their social media profiles and phishing web pages to make them appear legitimate and trustworthy in users’ eyes. These fake profiles have nothing to do with Facebook and are frequently taken down quickly by the social network.”
Learning in hand
The popularity of generative AI technologies and chatbots has soared in 2023. However, administrators striving to regulate access to these platforms have inadvertently pushed users to seek alternative means of entry. Exploiting the widespread demand, threat actors have emerged, offering unrestricted access to these tools.
The incident serves as a reminder that malicious advertisements can still evade moderation and deliver malware to unsuspecting victims. This campaign shares several resemblances with previously identified activities attributed to BatLoader, including impersonating well-known brands and services through Google search ads.
Additionally, AdvancedInstaller is used to create installation packages, and the payload site job-lion server has been associated with BatLoader in the past. The malware payloads employed in this campaign are designed to steal sensitive information.
Recommendation: Raising awareness about malware masquerading and including the Phishing and Security Awareness Training (PSAT) program to educate your employees on protecting themselves against similar cyber threats has become the most important.
