Cybercriminals are posting what appear to be legitimate sponsored ads on hijacked Facebook business and community pages. The page promises free downloads of AI chatbots such as ChatGPT and Google Bard. Instead, researchers found that users download her famous information-stealing malware called RedLine Stealer.
RedLine Stealer is a Malware-as-a-Service (MaaS) platform sold through online hacker forums that targets browsers and collects various data stored by users, such as credentials and payment card details. , to create and assess a system inventory. Attack surface to carry out further attacks. It can also perform malicious functions other than information stealing, such as uploading and downloading files and executing commands. According to Veriti researchers, this gives attackers a variety of options to carry out various cyberattacks, even with limited sophistication.
They discovered the most recent campaign in January, according to a report published on April 11th. It aims to capitalize on the growing popularity of emerging AI platforms. Researchers then tracked the campaign to his March peak.
“These posts are designed to appear legitimate by using a topic about the OpenAI language model to trick unsuspecting users into downloading files,” the Veriti researchers report. I am writing to “However, once a user downloads and extracts the file, the RedLine Stealer malware can be activated, steal passwords, and even download malware to the user’s device.”
Commodity malware is exciting for this campaign given that it costs only $100-$150 to purchase on the dark web, allowing attackers to obtain a significant return on investment (ROI) for their cybercriminal activities. It’s a viable option, researchers say.
“Additionally, by exploiting Facebook business accounts and exposed passwords, attackers could target a large number of users and gain access to sensitive information at a relatively low cost,” Veriti research The team told Dark Reading.
The Danger of Trojanized AI Apps
Shortly after ChatGPT, an AI-based chatbot, debuted in November, there was a lot of talk about the various ways attackers could abuse it for malicious purposes. While some believe the threat is overrated, the RedLine campaign could be a sign of a more relevant attack on the horizon.
Rather than leveraging the AI-based capabilities of the chatbot itself, the attackers here take advantage of recent developments in the ability to package AI in various formats to create trojanized downloads. open the door to
“One of the most concerning risks associated with generative AI platforms is the ability to package AI into files (such as mobile applications and open source). It creates the perfect excuse for ,” said the researchers. explained.
In this case, the attackers packaged RedLine Stealer into a downloadable file on OpenAI or Google Bard to lure unsuspecting users into downloading the malware instead of the promised AI app that would trick them into clicking on posts. , said the researchers.
“The potential impact of such an attack is significant as hackers can steal sensitive data, compromise financial accounts, and destroy critical infrastructure,” they wrote in the report. “Additionally, these attacks are becoming increasingly sophisticated, making them harder to detect and defend against.”
Researchers say that dozens of Facebook business accounts in at least 10 countries have already been hijacked to distribute RedLine Stealer through malicious posts. According to the report, the country where attackers reach the most Facebook users is Greece, followed by India, the United States, Mexico and Bangladesh.
However, according to the report, the majority of the campaign’s “top attacks” occurred in the United States, with 77% of them occurring in the United States. His second highest percentage of top attacks is Canada at 9%, followed by Mexico (6%), India (4%) and Portugal (2%).
Protect your enterprise from malicious downloads
Veriti recommends a “holistic approach to cybersecurity” that includes educating employees about the risks of downloading and opening files from unknown sources. corporate desktop.
One of the first steps organizations can take is to enforce strict policies that restrict executable file downloads and require sandboxing of all executable files before downloading, the researchers said. says. “This greatly reduces the risk of malicious files infecting your system,” they tell Dark Reading.
Additionally, disabling data exfiltration can prevent attackers from stealing sensitive information, while enabling anti-malware can detect and remove malicious files before they can do damage, researchers say. said.
However, the researchers found that the means to educate employees and set policies regarding files downloaded from the Internet are “an organization’s existing security measures, such as firewalls, intrusion detection and prevention systems, and regular security updates.” It needs to complement cybersecurity protection.”
“Organizations can greatly reduce the likelihood of a successful attack by implementing these best practices and educating employees about the risks,” the team added.