The rise of generative artificial intelligence platforms such as OpenAI’s ChatGPT and Google Bard has sparked the public’s imagination and captivated audiences worldwide. However, with great power comes great responsibility, as the buzz surrounding these technologies has also caught the attention of cybercriminals. Recently, Veriti security researchers discovered a new malware-as-a-service campaign that leverages the popularity of these AI platforms to distribute a strain of malware known as Redstealer. The Redstealer campaign has demonstrated that the latest AI advancements are not immune to malicious exploitation. It highlights the need for increased cybersecurity measures and awareness to protect against this emerging threat.
OPPORTUNITY MAKES THE THIEF
One of the most concerning risks associated with generative AI platforms is the ability to package the AI in a file (e.g., as mobile applications or as open source). This creates the perfect excuse for malicious actors to trick naïve downloaders. The potential impact of such attacks is significant: hackers could steal confidential data, compromise financial accounts, or disrupt critical infrastructure. Moreover, these attacks are becoming more sophisticated, making detecting and preventing them harder.

To address this issue, it is crucial to understand hackers’ methods to lure users into downloading and opening these files. Some common techniques include phishing emails, social engineering, and fake download links. Once the user is tricked into downloading the file, the malware can silently install itself on the system, giving the attacker access to sensitive information.
This research paper explores the current active campaigns and the implications of this malicious trend. Specifically, we have analyzed the potential impact of such attacks; The methods hackers use to lure users into downloading and opening these files, and the possible strategies to mitigate these risks.
Malware-as-a-Service
RedLine Stealer is a type of Malware-as-a-Service (MaaS) that cybercriminals can use to steal data from compromised devices. This type of service allows even individuals with limited technical knowledge to launch sophisticated cyber attacks.
The MaaS ecosystem operates through online forums that act as marketplaces for hackers to advertise their malware and stolen data. These forums offer a range of services, including access to malware, stolen data, and even hacking tools. In some cases, the forum administrators act as intermediaries between buyers and sellers, earning a percentage of the profits.

After purchasing and deploying the malware, customers sell the stolen data in dark web forums to cybercriminals specializing in online fraud, enabling them to focus on their illicit business model. Malicious actors increasingly use the Telegram messaging app to purchase and deploy RedLine Stealer malware. It provides greater anonymity and encryption for their activities.

What is RedLine Stealer
RedLine Stealer is a type of malware that can be purchased on underground forums. It is designed to steal sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data. In addition, it can take an inventory of the target machine, gathering information on the user, location, hardware, and installed security software. The malware can upload and download files, execute commands, and send back information about the infected computer at regular intervals.
Malware used in the attacks is available on the dark web for $100 to $150. It’s sold through a one-time purchase or a monthly subscription. This makes it difficult to identify the group or person behind the attacks.

After purchasing and deploying the malware, hackers sell the stolen data in dark web forums to other hackers specializing in online fraud, enabling them to focus on their illicit business model. They mainly use the Telegram messaging app to purchase and spread RedLine Stealer malware, as it provides greater anonymity and encryption for their activities.
Modus Operandi – Facebook
After purchasing the RedLine Stealer, the hackers needed to find a way to lure victims into downloading and executing it. Their modus operandi involves stealing the credentials of Facebook business or community accounts with thousands of followers. Using these pages, the malicious actors spread sponsored posts promoting free downloads of ‘alleged’ ChatGPT or Google Bard-related files.
These posts are designed to appear legitimate, using the buzz around openAI language models to trick unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the RedLine Stealer malware is activated and can steal passwords and download further malware onto the user’s device. This method of attack has proven to be particularly effective in spreading malware and gaining access to sensitive information, as dozens of Facebook business accounts have already been hijacked for these purposes.

Attacks In Action
By taking control of legitimate business pages, attackers can gain the trust of the page’s followers and use that trust to distribute malware disguised as legitimate software.
The following examples show how attackers have taken advantage of this workflow to spread the RedLine Stealer malware through Facebook.



PROTECT YOUR ORGANIZATION
Protecting your organization from malware-as-a-service campaigns such as Redstealer requires a comprehensive approach to cybersecurity. Educating employees on the risks of downloading and opening files from unknown sources is crucial. Employee training and awareness should be coupled with robust security configurations that complement an organization’s cybersecurity protections.
One of the first steps organizations can take is to limit the download of executables and enforce strict policies that require sandboxing every executable before downloading it. This can significantly reduce the risk of malicious files infecting a system. Additionally, disabling data exfiltration can prevent attackers from stealing sensitive information, while enabling anti-malware can detect and remove malicious files before they can cause any damage.
However, it is important to note that these measures should complement an organization’s existing cybersecurity protections, such as firewalls, intrusion detection and prevention systems, and regular security updates. Organizations can significantly reduce the likelihood of a successful attack by implementing these best practices and educating employees on the risks.