From ChatGPT to RedLine Stealer: The Dark Side of OpenAI and Google Bard 

The rise of generative artificial intelligence platforms such as OpenAI’s ChatGPT and Google Bard has sparked the public’s imagination and captivated audiences worldwide. However, with great power comes great responsibility, as the buzz surrounding these technologies has also caught the attention of cybercriminals. Recently, Veriti security researchers discovered a new malware-as-a-service campaign that leverages the popularity of these AI platforms to distribute a strain of malware known as Redstealer. The Redstealer campaign has demonstrated that the latest AI advancements are not immune to malicious exploitation. It highlights the need for increased cybersecurity measures and awareness to protect against this emerging threat. 

OPPORTUNITY MAKES THE THIEF 

One of the most concerning risks associated with generative AI platforms is the ability to package the AI in a file (e.g., as mobile applications or as open source). This creates the perfect excuse for malicious actors to trick naïve downloaders. The potential impact of such attacks is significant: hackers could steal confidential data, compromise financial accounts, or disrupt critical infrastructure. Moreover, these attacks are becoming more sophisticated, making detecting and preventing them harder.  

Figure1:  Geo Spread and Timeline of the OpenAI Malware Campaign
Figure 1:  Geo Spread and Timeline of the OpenAI Malware Campaign 

To address this issue, it is crucial to understand hackers’ methods to lure users into downloading and opening these files. Some common techniques include phishing emails, social engineering, and fake download links. Once the user is tricked into downloading the file, the malware can silently install itself on the system, giving the attacker access to sensitive information. 

This research paper explores the current active campaigns and the implications of this malicious trend. Specifically, we have analyzed the potential impact of such attacks; The methods hackers use to lure users into downloading and opening these files, and the possible strategies to mitigate these risks. 

Malware-as-a-Service

RedLine Stealer is a type of Malware-as-a-Service (MaaS) that cybercriminals can use to steal data from compromised devices. This type of service allows even individuals with limited technical knowledge to launch sophisticated cyber attacks. 

The MaaS ecosystem operates through online forums that act as marketplaces for hackers to advertise their malware and stolen data. These forums offer a range of services, including access to malware, stolen data, and even hacking tools. In some cases, the forum administrators act as intermediaries between buyers and sellers, earning a percentage of the profits. 

Figure 2:  Screenshot of the RedLine Stealer Malware Ad, used for the Open AI campaign in Dark Web Marketplace.

After purchasing and deploying the malware, customers sell the stolen data in dark web forums to cybercriminals specializing in online fraud, enabling them to focus on their illicit business model. Malicious actors increasingly use the Telegram messaging app to purchase and deploy RedLine Stealer malware. It provides greater anonymity and encryption for their activities. 

What is RedLine Stealer

RedLine Stealer is a type of malware that can be purchased on underground forums. It is designed to steal sensitive information from web browsers, including credit card details, saved credentials, and autocomplete data. In addition, it can take an inventory of the target machine, gathering information on the user, location, hardware, and installed security software. The malware can upload and download files, execute commands, and send back information about the infected computer at regular intervals.

Malware used in the attacks is available on the dark web for $100 to $150. It’s sold through a one-time purchase or a monthly subscription. This makes it difficult to identify the group or person behind the attacks.

Figure 3:  The different Malware bundles available to purchase

After purchasing and deploying the malware, hackers sell the stolen data in dark web forums to other hackers specializing in online fraud, enabling them to focus on their illicit business model. They mainly use the Telegram messaging app to purchase and spread RedLine Stealer malware, as it provides greater anonymity and encryption for their activities. 

Modus Operandi – Facebook

After purchasing the RedLine Stealer, the hackers needed to find a way to lure victims into downloading and executing it. Their modus operandi involves stealing the credentials of Facebook business or community accounts with thousands of followers. Using these pages, the malicious actors spread sponsored posts promoting free downloads of ‘alleged’ ChatGPT or Google Bard-related files. 

These posts are designed to appear legitimate, using the buzz around openAI language models to trick unsuspecting users into downloading the files. However, once the user downloads and extracts the file, the RedLine Stealer malware is activated and can steal passwords and download further malware onto the user’s device. This method of attack has proven to be particularly effective in spreading malware and gaining access to sensitive information, as dozens of Facebook business accounts have already been hijacked for these purposes. 

Figure 4:  Spread of Hijacked Facebook Business Accounts Used in OpenAI Malware Campaign

Attacks In Action  

By taking control of legitimate business pages, attackers can gain the trust of the page’s followers and use that trust to distribute malware disguised as legitimate software. 

The following examples show how attackers have taken advantage of this workflow to spread the RedLine Stealer malware through Facebook. 

PROTECT YOUR ORGANIZATION 

Protecting your organization from malware-as-a-service campaigns such as Redstealer requires a comprehensive approach to cybersecurity. Educating employees on the risks of downloading and opening files from unknown sources is crucial. Employee training and awareness should be coupled with robust security configurations that complement an organization’s cybersecurity protections. 

One of the first steps organizations can take is to limit the download of executables and enforce strict policies that require sandboxing every executable before downloading it. This can significantly reduce the risk of malicious files infecting a system. Additionally, disabling data exfiltration can prevent attackers from stealing sensitive information, while enabling anti-malware can detect and remove malicious files before they can cause any damage. 

However, it is important to note that these measures should complement an organization’s existing cybersecurity protections, such as firewalls, intrusion detection and prevention systems, and regular security updates. Organizations can significantly reduce the likelihood of a successful attack by implementing these best practices and educating employees on the risks. 

 

 

Recommended Articles

Get started today

Let’s connect you with one of Veriti’s experts to set up a live product demo

Subscribe to our BLOG

Get the latest security insights, news and articles delivered to your inbox.

Product Overview

Maximize security posture while ensuring business uptime

Integrations

Connect Veriti with your security solutions

Validate Risk Posture

Identify postural gaps by querying your security configuration

Eliminate False Positives

Reduce alert fatigue. Increase Security Effectiveness

Maintain Cyber Hygiene

Monitor the hygiene of your security solutions

Risk based mitigation

Prioritize and virtually patch vulnerabilities

Enhance zero-day Protection

Identify and distribute zero-day indicators of attack

Resources

See all resources

Blog

Veriti's security blog

Downloads

The latest guides, white papers and infographics

Our Story

Learn about Veriti

Leadership Team

Meet the team

Careers

Work with us

Newsroom

Our latest updates