ChatGPT: The real Evil Twin

03/16/2023
G DATA Blog

The clamor and viral use of a very human-sounding, artificial technology chatbot named, ChatGPT gave rise to some new and interesting activities in the cybercrime world.

To set things straight right off the bat, this article is not generated by any AI nor any natural-language processing system, such as ChatGPT.
It is no secret that cyberthreat actors capitalize on prominent social events latest technology buzzwords to launch their attacks. And the curtain raiser for 2023 that made the headlines was the clamor and viral use of a very human-sounding, artificial technology chatbot named, ChatGPT. A better way to understand what ChatGPT is and what it does in a nutshell is to ask itself:

Given its breakthrough in practical use and public availability, there were growing fears of its possible misuse, social and cyber security implications, which are best described from our earlier article entitled, ChatGPT: What AI holds in store for security. One of the front-page stories in social media and news recently, was the possibility of converting ChatGPT into its devil-may-care alter ego called DAN for “Do Anything Now” in order to produce offensive responses to wide range of sensitive topics.  However, just in the second week of February, G DATA Malware Analysts were able to identify a real evil twin of ChatGPT – chatgpt-go.online.

Validate its Looks – Dissecting the Web interFACES

The real webpage of ChatGPT is accessed via openai.com/blog/chatgpt/ , wherein users will be able to experience chatting with the AI is by clicking the TRY CHATPT button that redirects to a Login and Sign Up page. But when users access the fake website, you will be shown the same webpage of the authentic ChatGPT page. It even made use of HTTPS to host its website to convince site visitors its legitimacy by having a secured communication through private and encrypted data traffic between the users’ web browser and the website’s server. That is why not every website using HTTPS is automatically secured and safe to use.

One way of checking a website’s credibility is to validate its “birthdate” – when it was registered and went online. In chatgpt-go.online’s case, it was just four-weeks old at the time of this writing, which raises a flag since ChatGPT had been around since late November of 2022. What raised the curiosity of our Malware Analysts was to see how the fake webpage does its next trickery, whether does it have its own AI chatbot or offers anything else. Lo and behold, it used a classic technique of drive-by download, wherein when the user clicked the TRY CHATGPT button, it will download a malicious file, Installer_3.64_win64_86-setup+manual.zip hosted from hxxps://getcrackme.com/.

What raised the curiosity of our Malware Analysts was to see how the fake webpage does its next trickery, whether does it have its own AI chatbot or offers anything else. Lo and behold, it used a classic technique of drive-by download, wherein when the user clicked the TRY CHATGPT button, it will download a malicious file, Installer_3.64_win64_86-setup+manual.zip hosted from hxxps://getcrackme.com/.

The malware poses as a normal installer of a non-specific software that is copyrighted by Electron and Github, and digitally signed by TeamViewer Germany. It arrives in the system in a package along with usual, normal file components of an installer such as LICENSE, language resources, library, and among others as part of its pretension.

Looking at the image above, the malware's file size is around 700 MB. If a user does not have any idea about the file, he may really think that the file is just a normal installer. But inspecting it further using a static analysis tool called Hiew (Hacker’s View), the actual size of the malware is just around 5 MB only, as the remaining contents of the file are padded with null bytes as shown in the image below. File bloating is a typical approach that malware authors use to evade antivirus detection.
This malware is one of the many advertised malwares called LummaC2 stealer which gathers sensitive information from the affected system. To make it difficult for Malware Analysts from to reverse engineer and understand its behavior, this file is protected with VMProtect v.3.6.0 - 3.7.3.

It gathers the following information from the compromised computer and saves it in a text file named as system.txt:

  • HWID
  • Screen Resoluton
  • Language
  • CPU Name
  • Physical Installed Memory

It then specifically targets the following applications by gathering information such as user profiles, server information and its credentials:

  • AnyDesk
  • FileZilla
  • KeePass
  • Steam
  • Telegram

It also steals user information from the following internet browsers through its user data directory:

  • Chrome
  • Chromium
  • Edge
  • Kometa
  • Opera Stable
  • Opera GX Stable
  • Opera Neon
  • Brave Software
  • Comodo
  • CocCoc

Moreover, it tries to steal user accounts from two-factor authentication and password manager applications via browser extensions:

  • bhghoamapcdpbohphigoooaddinpkbai - Authenticator
  • gaedmjdfmmahhbjefcbgaolhhanlaolb - Authy
  • oeljdldpnmdbchonielidgobddffflal - EOS Authenticator
  • ilgcnhelpchnceeipipijaljkblbcobl - GAuth Authenticator

Extension ID and Password Manager

  • imloifkgjagghnncjkhggdhalmcnfklk - Trezor Password Manager

 

To immediately achieve financial gain, the malware steals numerous cryptocurrency wallets via browser extension IDs as enumerated in the table below.The malware also creates a list of the installed applications in the system and saves it in a text file named as software.txt.  It also captures a screenshot of the affected system then saves it as screen.png.
After all these pieces of information are gathered, they will be sent to the malware’s command and control (C&C) server, 77.73.134.68, which is still up and running as of this writing. The figures below show such communication between the affected system and server.

According to VirusTotal’s Threat Intelligence report, this archive file has been seen across different continents from, Asia, Latin America and Europe being the most at 73% that include Germany.
Another interesting feature of this website is when the Malware Analysts tried to access it via Tor, it was dynamic as it served a different web page, which is an e-commerce site directly taken away from Hiboy e-Bike web store.  This method is called Shared IP Hosting that is legitimate in its nature, but leveraged by threat actors to conceal mischievous behavior of certain sites.

But wait - there’s more…

Being a fake ChatGPT website is just a façade of this threat, as G DATA Malware Analysts were able to gather from the organization’s internal telemetry and intelligence that the website is also a home of two malicious files with similar intent.

The first file that we were able to source is hosted directly from the fake ChatGPT site, which has the filename Clip.exe. It is a clipboard banker malware that captures user data and cryptocurrencies through Windows clipboard.  The infected system though must have an updated Universal C runtime installed as part of the module dependencies of the malware. It targets wallet addresses of different crypto currencies by using regular expressions which are provided in the table below.

The next file that we were able to obtain again directly from the fake ChatGPT site is Java.exe. In a nutshell, it is similar to the two previous malwares, which takes the screenshot of the affected system, and steals from numerous cryptocurrency wallets from the infected host. The file attempts to establish a connection to 194.87.71.146 via port 8081, but it was unsuccessful. It is most likely linked to Aurora stealer, a current prevalent malware family sold on Telegram and underground forums, due to the similarity of its behavior in terms of fingerprinting the affected system and the targeted cryptocurrency wallets.

These information and facts gave us the impression that this could be a part of a bigger scheme or cyberthreat campaign. Fellow cybersecurity researcher, Will Dormann had an insight and proof on this, as users will actually be exposed to these threats by just casually searching for legitimate applications via Google, wherein the sponsored Ads on the initial search results were the malicious links. In his investigation, he searched for Java installer in Google, then the top most result is an sponsored paid ad, which actually directs the user to a fake Java website. When the user then selected to download the Java installer, it will then be directed to the fake ChatGPT hosted malware, Java.exe.

G DATA Malware Analysts tried to replicate the possible vector, but Google has already suspended its sponsored ad results and may possibly doing its own investigation and cleanup of its famed service. So please standby for updates on this developing threat as we try to further unravel the end-to-end campaign.

IOC list and information for fellow researchers

SHA256

Filename – File Type

G DATA Detection

46200951190736e19be7bcc9c0f97316628acce43fcf5b370faa450e74c5921e

Clip.exe (PE32)

ClipBanker39

34b88f680f93385494129bfe3188ce7a0f5934abed4bf6b8e9e78cf491b53727

Java.exe (PE32)

AuroraStealer

2ac5138fafdb2b9919907469da051a8bd65bbfb7bce71078b38b6be8dcc8ca18

Installer_3.64_win64_86.exe (PE32)

LummaStealer3; CoinStealer14

URL

Description

chatgpt-go.online

Fake ChatGPT URL

77.73.134.68

LummaStealer’s C&C server

Targeted Cryptocurrency wallets

Extension IDs/ Path/Regular Expression

SHA256: 2ac5138fafdb2b9919907469da051a8bd65bbfb7bce71078b38b6be8dcc8ca18

MetaMask

nkbihfbeogaeaoehlefnkodbefgpgknn

MetaMask (Edge)

ejbalbakoplchlghecdalmeeeajnimhm

TronLink

ibnejdfjmmkpcnlpebklmnkoeoihofec

Ronin

fnjhmkhhmkbjkkabndcnnogagogbneec

Binance

fhbohimaelbohpjbbldcngcnapndodjp

Yoroi

ffnbelfdoeiohenkjibnmadjiehjhajb

Nifty

jbdaocneiiinmjbjlgalhcelgbejmnid

Math

afbcbjpbpfadlkmhmclhkeeodmamcflc

Coinbase

hnfanknocfeofbddgcijnmhnfnkdnaad

Guard

hpglfhgfnhbgpjdenjgmdgoeiappafln

Equal

blnieiiffboillknjnepogjhkgnoapac

Jaxx Liberty

cjelfplplebdjjenllpjcblmjkfcffne

BitApp

fihkakfobkmkjojpchpfgcmhfjnmnfpi

iWallet

kncchdigobghenbbaddojjnnaogfppfj

Wombat

amkmjjmmflddogmhpjloimipbofnfjih

MEW CX

nlbmnnijcnlegkjjpcfjclmcfggfefdm

Guild

nanjmdknhkinifnkgdcggcfnhdaammmj

Saturn

nkddgncdjgjfcddamfgcmfnlhccnimig

Liquality

kpfopkelmapcoipemfendmdcghnegimn

Terra Station

aiifbnbfobpmeekipheeijimdpnlpgpp

Enkrypt

kkpllkodjeloidieedojogacfhpaihoh

NeoLine

cphhlgmgameodnhkjdmkpanlelnlohao

CLV

nhnkbkgjikgcigadomkphalanndcapjk

Keplr

dmkamcknogkgcdfhhbddcghachkejeap

Sollet

fhmfendgdocmcbmfikdcogofphimnkno

Auro

cnmamaachppnkjgnildpdmkaakejnhae

Polymesh

jojhfeoedkpkglbfimdfabpdfjaoolaf

ICONex

flpiciilemghbmfalicajoolhkkenfel

Nabox

nknhiehlklippafakaeklbeglecifhad

KHC

hcflpincpppdclinealmandijcmnkbgn

Temple

ookjlbkiijinhpmnjffcofjonbfbgaoc

TezBox

mnfifefkajgofkcjkemidiaecocnkjeh

DAppPlay

lodccjjbdhfakaekdiahmedfbieldgik

BitClip

ijmpgkjfkbfhoebgogflfebnmejmfbml

Steem Keychain

lkcjlnjfpbikmcmbachjpdbijejflpcm

Nash

onofpnbbkehpmmoabgpcpmigafmmnjhl

Hycon Lite

bcopgchhojmggmffilplmbdicgaihlkp

ZilPay

klnaejjgbibmhlephnhpmaofohgkpgkd

Coin98

aeachknmefphepccionboohckonoeemg

Cyano

dkdedlpgdmmkkfjabffeganieamfklkm

Byone

nlgbhdfgdhgbiamfdfmbikcdghidoadd

OneKey Legacy

infeboajgfhgbjpjbeppbkgnabfdkdaf

LeafWallet

cihmoadaighcejopammfbmddcmdekcje

Binance

%appdata%\Binance

Electrum

%appdata%\Electrum\wallets

Ethereum

%appdata%\Ethereum\keystore

Exodus

%appdata%\Exodus

Ledger Live

%appdata%\Ledger Live

Atomic

%appdata%\atomic\Local Storage

Coinomi

%localappdata%\Coinomi\Coinomi\wallets

Steam

%programfiles%\Steam

 

 

SHA256: 34b88f680f93385494129bfe3188ce7a0f5934abed4bf6b8e9e78cf491b53727

Coin98

aeachknmefphepccionboohckonoeemg

Terra Station

aiifbnbfobpmeekipheeijimdpnlpgpp

Wombat

amkmjjmmflddogmhpjloimipbofnfjih

BOLT X

aodkkagnadcbobfpggfnjeongemjbjca

Phantom

bfnaelmomeimhlpmgjnjophhpkkoljpa

Equal

blnieiiffboillknjnepogjhkgnoapac

EVER

cgeeodpfagjceefieflmdfphplkenlfk

Jaxx Liberty

cjelfplplebdjjenllpjcblmjkfcffne

Maiar DeFi

dngmlblcodfobpdpecaadgfbcggfjfnm

Yoroi

ffnbelfdoeiohenkjibnmadjiehjhajb

Binance

fhbohimaelbohpjbbldcngcnapndodjp

Oxygen

fhilaheimglignddkjgofkcbgekhenbh

BitApp

fihkakfobkmkjojpchpfgcmhfjnmnfpi

Ronin

fnjhmkhhmkbjkkabndcnnogagogbneec

Harmony

fnnegphlobjdpkhecapkijjdkgcjhkib

XDEFI

hmeobnfnfcmdkdcmlblgagmfpfboieaf

Coinbase

hnfanknocfeofbddgcijnmhnfnkdnaad

Guard

hpglfhgfnhbgpjdenjgmdgoeiappafln

TronLink

ibnejdfjmmkpcnlpebklmnkoeoihofec

Nifty

jbdaocneiiinmjbjlgalhcelgbejmnid

iWallet

kncchdigobghenbbaddojjnnaogfppfj

Liquality

kpfopkelmapcoipemfendmdcghnegimn

Nami

lpfcbjknijpeeillifnkikgncikgfhdo

Atomic

AppData\Roaming\atomic\Local Storage\leveldb

Armory

AppData\Roaming\Armory

Electrum

AppData\Roaming\Electrum\wallets

Ethereum

AppData\Roaming\Ethereum\keystore

Exodus

AppData\Roaming\Exodus\exodus.wallet

Jaxx Liberty

AppData\Roaming\com.liberty.jaxx

Guarda

AppData\Roaming\Guarda\Local Storage\leveldb

 

 

SHA256: 46200951190736e19be7bcc9c0f97316628acce43fcf5b370faa450e74c5921e

Bitcoin

^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$

USDT-TRON

T[A-Za-z1-9]{33}

Ethereum

^0x[a-fA-F0-9]{40}$

LiteCoin

^([LM3]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}||ltc1[a-z0-9]{39,59})$

XRP

r[0-9a-zA-Z]{24,34}

Doge

D{1}[5-9A-HJ-NP-U]{1}[1-9A-HJ-NP-Za-km-z]{32}

Monero

[48][0-9AB][1-9A-HJ-NP-Za-km-z]{93}

 

 

G DATA Security Lab
Virus-Analyst Team