‍

Introduction

ChatGPT has gained significant attention lately, and for good reasons. Its potential benefits and ability to enhance work efficiency and effectiveness have piqued the interest of individuals across various sectors. Unfortunately, this heightened interest has also attracted the attention of threat actors who seek to exploit the hype and capitalize on the technology's popularity for their gain.

‍

CloudSEK has recently released a research paper that sheds light on the nefarious tactics employed by threat actors to hijack existing YouTube accounts. These tactics include leveraging previously compromised data, phishing techniques, and the use of stealer logs. This blog reveals that threat actors may have also infiltrated Facebook accounts and pages using the same methods. These compromised accounts and pages are being used to distribute malware through various channels, such as Trello boards, Google Drive, and various individual websites, that are embedded in Facebook ads.

‍

The ads are designed in such a way that they appear legitimate, containing all the necessary details to appear convincing to unsuspecting users. The download link is accompanied by a password to lend further credibility to the scam. Furthermore, compromised accounts can also result in the theft of personally identifiable information (PII) and sensitive details such as payment information, etc. Semrush, SMIT, Evoto, and OBS Studio are a few other websites targeted in a similar manner.

‍

Modus Operandi

Facebook is among the world's largest social networking platforms, with over 2.96 billion monthly active users. In our recent research, it has come to light that several potentially high-follower Facebook pages have been compromised and hijacked to spread malware at an unprecedented pace. It can be understood using this simple illustration.

*Infection chain - compromised Facebook accounts spreading malware*

‍

After taking over a Facebook account or page, the threat actors modify the profile information to make it appear as if it is an authentic ChatGPT page. This involves using the username "ChatGPT OpenAI" and setting the ChatGPT image as the profile picture. These accounts are then used to run Facebook ads offering links to the “latest version of ChatGPT, GPT- V4” which, when downloaded, deploys a stealer malware into the victim’s device. (For more information please refer to the Appendix section)

‍

Also Read Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware

Information from OSINT

The circulated malware is capable of stealing sensitive information from the user’s device, including but not limited to PII, system information, credit card details, etc. The malware also has replication capabilities, which makes it easier to spread across systems through the means of removable media.

Additionally, the malware can escalate privileges and has persistent mechanisms that enable it to remain on the system and gain further leverage. Upon running the malware through VirusTotal it was found to be flagged “malicious” by 9 out of 61 security vendors.

*Several security vendors flagged the binary as malicious*

‍

Analysis of the Compromised Facebook Accounts

Our investigation has revealed the presence of 13 Facebook pages/accounts (totaling over 500K followers) that have been compromised and are being used to disseminate the malware via Facebook ads. The oldest instance of such a hijacking, as identified by our researcher, dates back to 13 February 2023 and pertains to a page with over 23K followers. Furthermore, we have observed that the actors also targeted newly created accounts, some of which were as young as 0 days old. (Refer to the complete list of compromised accounts analyzed for more details)

‍

Upon conducting a deeper analysis of the Facebook pages, we observed several noteworthy findings. Despite the original pages catering to diverse nationalities across various countries, a majority of the compromised Facebook accounts were being managed by individuals hailing from Vietnam, the Philippines, Brazil, Pakistan, and Mexico. Threat actors from Vietnam and the Philippines exhibited the highest incidence of compromised accounts among the aforementioned countries.

‍

Another interesting observation arising from our analysis is the repeated use of a specific video (which was originally posted on this YouTuber's channel) to attract and engage the audience across the majority of the compromised accounts. This pattern suggests that this campaign, of deploying malware via Facebook ads, is most likely the activity of a distinct group of threat actors or an individual threat actor.

*Repeated use of a particular video on the compromised Facebook pages*

‍

Hosting Malware on Legitimate Platforms

Our observations have led us to discover that threat actors are resorting to the use of legitimate websites as hosts for malware. Some of the most common platforms that have been exploited in this manner include Google Drive, Trello, and individual websites. This trend is not new but presents a significant challenge to the security community as it is often difficult to dissociate legitimate sites from the malicious content hosted on them.

*Frequent activities noticed on the Trello board used for hosting the malware*

‍

Information from Trello

A closer look at the Trello cards has yielded an intriguing finding that deserves attention. The status names that are being utilized, such as Cần làm (To do), Đang làm (Doing), and Đã xong (Done), are written in Vietnamese. This observation could provide valuable insights into the origins and motives of the threat actors who are leveraging Trello as a platform for disseminating malware.

‍

The Trello account responsible for the distribution of the malware is registered under the name "Tony." This account has been active since March 15, 2023, with the most recent card update occurring on March 18, 2023. It is noteworthy that most of the Facebook ads in circulation contain a link to this Trello account, suggesting that the threat actors have been using this specific card to disseminate the malware.

(For more information please refer to the Appendix section)

‍

The tables below contain details of the threat actors and the Trello cards used by them to disseminate malware.

‍

Threat Actors Trello Profiles

hxxps://trello[.]com/u/darleen1942/activity

hxxps://trello[.]com/u/vanonian3082z/activity

hxxps://trello[.]com/u/dennsosambitp/activity

‍

Malware Distributing Domains

hxxps://trello[.]com/c/zBYusnD5/7-chatv4pass8883

hxxps://trello[.]com/c/MQUn4GKp/1-chat-1

hxxps://trello[.]com/c/OmgcXsOC/2-111

hxxps://trello[.]com/c/50PLizDm/1-bot-1

hxxps://trello[.]com/c/0EJaknGH/4-chatgpt

hxxps://trello[.]com/c/eHQlpx3L/6-chatgpt-openai-full-destop-63f6f5c3ae530d5930f758b2

hxxps://drive.google[.]com/u/0/uc?id=1dkIb0pKI-inGMQw1WeKP9VVO6ALuF7vr&export=download&fbclid=IwAR3nT2jzFLpbnA-iBQ9gTlQh3yabpXhnb3o37e9YK-jhUGG_14tsSed1P_c

‍

Information from Individual Websites

Our research uncovered at least 25 individual websites that have been engaging in the nefarious practice of impersonating the OpenAI.com website. These malicious sites are duping individuals into downloading and installing harmful software, posing a severe risk to their security and privacy. (For more information please refer to the Appendix section)

‍

Malicious Domains	Creation Date
https://nutrientnirvana[.]com/	22 December 2022
http://gpt-chat[.]cloud/	18 March 2023
https://chat-gpt[.]org/chat	11 December 2022
https://chatgptchat[.]org/	3 February 2023
https://ai-chat[.]org/	8 February 2023
https://gpt-ai[.]org/	10 February 2023
https://rebrand[.]ly/GPT4V1	12 September 2014

‍

Other Websites on Radar

During the course of our investigation, we discovered several counterfeit software applications, advertised alongside the malicious ChatGPT software, on the same Trello cards. These applications may currently be in use for various nefarious purposes, including but not limited to, fraudulent Facebook advertising. The list of targeted software* uncovered by CloudSEK includes the following:

Semrush: A platform for keyword research and online ranking data.
SMIT: A social media advertising tool for marketing experts
Evoto: An AI photo editing software.
OBS Studio: A free and open-source screencasting and streaming app
Photo Editors

‍

*Note: All the compromised companies mentioned in the report are legitimate and are not responsible in any way for threat actors imitating or abusing them or their brand name. Additionally, some companies even have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information.

‍

List of Compromised Facebook Accounts Analyzed

‍

Affected Facebook Accounts/Pages	Date of Compromise	Followers
https://www.facebook.com/chatsopenai/	13 February 2023	23,527
https://www.facebook.com/chat.openais/	27 February 2023	37,307
https://www.facebook.com/openaischat/	6 March 2023	11,680
https://www.facebook.com/ChatGPT4/	9 March 2023	33,084
https://www.facebook.com/chatgptai4.0/	13 March 2023	18,703
https://www.facebook.com/tiktokUSS	15 March 2023	123000
https://www.facebook.com/chatgptdotcom/	16 March 2023	18,468
https://www.facebook.com/buyurcars	16 March 2023	26000
https://www.facebook.com/ChatOpen-AI-419029688653893/	18 March 2023	28,204
https://www.facebook.com/KnockingNews/	18 March 2023	214,170
https://www.facebook.com/profile.php?id=100083053914779	18 March 2023	73
https://www.facebook.com/profile.php?id=100090989901546	19 March 2023	0 (New Account)
https://www.facebook.com/profile.php?id=100090478546947	19 March 2023	0 (New Account)