Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Fake ChatGPT Extension Steals Facebook Ad Accounts

A few weeks ago we reported that hackers were capitalizing on the enormous public interest in ChatGPT to create fake websites as well as fake ChatGPT apps which would install infostealers such as Redline, Aurora and Lumina. Now, AV firm Guardio has found and analyzed yet another example being promoted via Facebook sponsored posts. This time it is a Chrome extension which claims to provide - and in fact is called - "Quick access to Chat GPT".

The extension is actually a trojan horse, in that it does exactly what it promises, by providing an interface to the official ChatGPT API - but it is also a browser-based infostealer. Once installed, it will steal cookies for any active sessions, and also will take over the victim's Facebook account. What is particularly interesting is that, once the stealer has gained access to a high-profile Facebook business account, it will use it to create more sponsored posts, promoting its own installation at the expense of the victim. And because the extension has full access to the browser, it can also make use of an authenticated session to the Meta Graph API and can perform a variety of other actions.

The data harvested will likely be sold off - including any ChatGPT queries the extension sends on behalf of the victim. But possibly the big payoff will be the full access to Facebook business accounts that the exension gets for the attackers.

Guardio's blog post provides a detailed analysis of the malicious extension's techniques and procedures, as well as IOC's.

Tal, Nati, “FakeGPT”: New Variant of Fake-ChatGPT Chrome Extension Stealing Facebook Ad Accounts with Thousands of Daily Installs, blog post, 9 March 2023. Available online at https://labs.guard.io/fakegpt-new-variant-of-fake-chatgpt-chrome-extension-stealing-facebook-ad-accounts-with-4c9996a8f282.

BatLoader Continues to Evolve

eSentire's Threat Response Unit has produced a report detailing their monitoring of the continued evolution of BatLoader. We first reported on BatLoader back in November of last year; at that time, VMware's Carbon Black MDR analysts had identified it as being a derivative of the earlier Zloader, which in turn traces back to the old Zeus banking trojan.

eSentire watched the BatLoader operators throughout February as they registered a number of domains which typosquat on popular application and brand names by simply adding a few characters on the end of the brand name, e.g. adobe-l[.]com as opposed to adoble.com. Using this technique, they are spoofing Adobe, Tableau, Spotify, Zoom and - inevitably (because it works!) - ChatGPT. These domains are then used to host fake download pages which deliver Windows Installer files masquerading as the related applications, with the pages being promoted via Googe Search ads.

In addition to installing the desired free application, the modified Windows Installer file contains custom actions which will execute commands - for example, installing Python (which seems to have replaced the previous versions' use of PowerShell), running pip to install other packages, and running Python programs. In this incarnation of BatLoader, the Python scripts use a technique found via Stack Overflow to achieve privilege escalation. As before, the loader is dropping payloads such as Ursnif and Cobalt Strike and, most recently, Vidar Stealer.

The eSentire TRU write-up provides recommended mitigations - primarily improved security education, training and awareness - as well as IOC's.

eSentire TRU, BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif, blog post, 9 March 2023. Available online at https://www.esentire.com/blog/batloader-continues-to-abuse-google-search-ads-to-deliver-vidar-stealer-and-ursnif.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.