In early May, eSentire’s Threat Response Unit (TRU) discovered an ongoing BatLoader campaign that leveraged Google search ads to deliver fake webpages impersonating ChatGPT and Midjourney:

• ChatGPT is an AI chatbot released in November 2022, which has since gained immense popularity.

• Midjourney is a generative AI service that allows users to submit text prompts to generate images.

Both AI services are extremely popular but lack first-party standalone applications (i.e., users interact with ChatGPT through its web interface, while Midjourney uses Discord).

Threat actors exploited this gap, attempting to lure internet users searching for AI applications to fake webpages promoting fraudulent applications.

In the latest campaign, BatLoader used MSIX Windows application installer files to infect devices with the Redline information stealer. This is not the first time BatLoader has targeted users searching for AI tools. In February 2023, TRU discovered a series of newly registered BatLoader domain names, including chatgpt-t[.]com.

Overview of Redline Infections Caused by ChatGPT Impersonation Ads

Initial Download

In this case, the infection can be traced back to a Google search for “chatbpt,” which led to a ChatGPT impersonation download page hosted at hxxps://pcmartusa[.]com/gpt/:

Figure 1. ChatGPT impersonation page.

The download link points to advert-job[.]ru, which then redirects to job-lionserver[.]site, representing the final attack payload. job-lionserver[.]site was previously identified as a BatLoader attack payload site.

Figure 2. Tracing back reveals HTTP transactions pointing to the final download on job-lionserver[.]site.

Chat-GPT-x64.msix

Chat-GPT-x64.msix (md5hash: 86a9728fd66d70f0ce8ef945726c2b77) is a Windows application package format used for installing applications.

Figure 3. Chat-GPT-x64.msix file properties.

Windows requires all files that make up an MSIX application to be signed with a common signature. The package is digitally signed by ASHANA GLOBAL LTD:

Figure 4. Chat-GPT-x64.msix signature details.

Upon careful inspection of the package contents, we can see the various assets used during the installation:

Figure 5. Application assets within the MSIX package.

Reviewing the AppXManifest file, we see that the package was created by a Russian speaker using version 20.2 of the Advanced Installer with a professional license.

Figure 6. MSIX file properties.

Figure 7. MSIX file properties and metadata.

When the package is opened in Advanced Installer, we can see that the application will launch an executable file (ChatGPT.exe) and a PowerShell script (Chat.ps1).

Figure 8. Chat-GPT-x64.msix starting point and permissions.

Figure 9. PowerShell commands executed during the installation process of Chat-GPT-x64.msix.

The installer will also use the ChatGPT logo, targeting Windows desktop versions between the October 2018 update – 1809 and the October 2022 update – 22H2.

Clicking the installer file will initiate the Windows application installer wizard:

Figure 10. Windows 10 application installer wizard. The application is signed by ASHANA GLOBAL LTD.

File signatures are crucial for MSIX packages, as the installer does not allow you to proceed without a trusted certificate signature (Windows 10 requires all applications to be signed with a valid code-signing certificate).

Figure 11. Without a valid signature, the installation of Chat-GPT-x64.msix cannot proceed.

During the installation process, Chat.ps1 and ChatGPT.exe are executed in the context of aistubx64.exe.

Figure 12. Process Hacker output showing PowerShell execution behavior during installation.

Chat.ps1 is a basic PowerShell downloader. In this case, it downloads the Redline information stealer from adv-pardorudy[.]ru into memory. The script also makes two requests to the C2:

• Start.php: Logs the infection start time and the victim’s IP address.

• Install.php: Logs the successful installation of the payload on adv-pardorudy[.]ru, the installation time, and the victim’s IP address.

The attackers perform these actions to facilitate tracking statistics, allowing them to easily identify successfully infected victims and track metrics around specific activities or themes.

Figure 13. Chat.ps1 uses three web requests to indicate the start of infection, payload retrieval, and successful installation of Redline.

This Redline sample (md5hash 7716F2344BCEBD4B040077FC00FDB543) is configured to connect to IP 185.161.248[.]81 using the Bot ID “ChatGPT_Mid,” which alludes to the two lures used in this activity (ChatGPT and MidJourney).

Figure 14. Redline file properties.

Upon careful inspection of ChatGPT.exe, TRU found that the executable uses Microsoft Edge WebView2 to load https://chat.openai.com/ in a pop-up window after installation.

Figure 15. Process tree shows ChatGPT.exe loading the actual ChatGPT webpage in a streamlined browser.

Its main function is to distract users, ensuring they install a legitimate-looking application. The result is that the pop-up window contains the actual ChatGPT webpage embedded in a basic browser window. The other functionalities of this executable are currently unknown.

Figure 16. The post-installation Chatgpt.exe window. https://chat.openai.com/ displayed using Microsoft Edge WebView2.

Redline Infections Caused by Midjourney Impersonation Ads

In another case in May 2023, TRU observed a similar infection scheme attempting to promote a Midjourney impersonation page. This led users to download Midjourney-x64.msix, which is a Windows application package signed by ASHANA GLOBAL LTD.

Figure 17. Midjourney-x64.msix installation.

In this case, the installer executes an obfuscated PowerShell script (Chat-Ready.ps1), which ultimately is the same as the script shown in Figure 13, just using a different C2 domain.

Figure 18. Midjourney-x64.msix PowerShell execution.

Figure 19. Post-installation midjourney.exe loading https://www.midjourney.com/ in a streamlined browser window.

What Did We Do?

• TRU proactively searched for threats in environments of global clients to identify recognized application packages.

• We deployed new detection content to identify MSIX application package abuse activities.

• Our 24/7 SOC network analyst team alerted affected customers and provided remediation guidance and support.

What Can You Learn From This?

• Generative AI technology and chatbots have gained immense popularity in 2023. Unfortunately, as system administrators seek to control access to these platforms, users may find alternative ways to access them.

• Threat actors have been eager to exploit these popular tools, promising unrestricted access.

• Our telemetry data indicates that the abuse of Google search ads peaked in Q4 2022 and early 2023. The success rate has declined, suggesting that Google has cracked down on abuses of its ad services. However, this recent activity indicates that malicious ads can still evade auditors’ eyes and deliver malware to victims.

This activity shares several similarities with previously discovered BatLoader activities:

1. Use of Google search ads to impersonate major brands and services.

2. Use of Advanced Installer to create installation packages.

3. Attack payload sites job-lionserver[.]site previously attributed to BatLoader.

4. Information-stealing malware attack payloads.

Recommendations from our Threat Response Unit (TRU) team:

• Raise awareness of malware masquerading as legitimate applications and include relevant examples in your company’s phishing and security awareness training (PSAT) programs to educate employees on how to protect themselves from similar cyber threats.

○ Remember, an effective PSAT program emphasizes ensuring cybersecurity resilience through increased risk awareness, rather than trying to turn everyone into a security expert.

• Protect endpoints from malware.

○ Ensure antivirus features are up to date.

○ Use next-generation antivirus (NGAV) or endpoint detection and response (EDR) products to detect and contain threats.

• Windows Defender Application Control provides options for managing packaged applications (MSIX). See https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.

References and Sources:

https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks

Original source: Sihou Professional Edition

“Submission Contact: Sun Zhonghao 010-82992251 [email protected]”