Be Warned
The following article discusses malware that can and will infect your machine if you execute it.
Don’t get pwned.
TL;DR
There is no officially downloadable version of ChatGPT, anything that pretends to be a ChatGPT “software”, “program” or “application” is probably malware.
Ground Zero
Compromised Facebook accounts are masquerading as official ChatGPT accounts. Common features of these accounts are the use of ChatGPT’s logo and name, either in their original form or with some modification.
Account banners feature logos and tech buzzwords to lure in victims.
Distribution
It seems that threat actors have decided on one delivery method this time — Trello, a project management platform.
Included in the download link is a .rar archive with various names, all of which are some variation of ChatGPT’s name.
Infection
The downloaded payload is packaged in a .rar archive that yields one .msi (Microsoft Software Installer) script after extraction.
The .msi file provides initial access, execution, persistence and privilege escalation capabilities for the attacker.
Diving Deeper
I uploaded the .msi file to VirusTotal, and upon checking the graph to see the bundled files and dropped files that are discovered during sandbox detonation, we can observe that there are 6 more malicious files.
Most notably, the bundled .cab file is classified as a Trojan by 20 detections.
In addition, the .msi script creates 4 executable files that perform:-
- System discovery
- Remote command execution
- Defense evasion
The Cycle
Detection with YARA Rules
The .msi file matches the following YARA rules provided by VirusTotal and ditekshen on GitHub:-
By incorporating these rules into your security systems, you may be able to identify and block any attempts at distributing the trojan.