Researcher: Bablu Kumar
ChatGPT has gained significant attention lately, and for good reasons. Its potential benefits and ability to enhance work efficiency and effectiveness have piqued the interest of individuals across various sectors. Unfortunately, this heightened interest has also attracted the attention of threat actors who seek to exploit the hype and capitalize on the technology's popularity for their gain.
CloudSEK has recently released a research paper that sheds light on the nefarious tactics employed by threat actors to hijack existing YouTube accounts. These tactics include leveraging previously compromised data, phishing techniques, and the use of stealer logs. This blog reveals that threat actors may have also infiltrated Facebook accounts and pages using the same methods. These compromised accounts and pages are being used to distribute malware through various channels, such as Trello boards, Google Drive, and various individual websites, that are embedded in Facebook ads.
The ads are designed in such a way that they appear legitimate, containing all the necessary details to appear convincing to unsuspecting users. The download link is accompanied by a password to lend further credibility to the scam. Furthermore, compromised accounts can also result in the theft of personally identifiable information (PII) and sensitive details such as payment information, etc. Semrush, SMIT, Evoto, and OBS Studio are a few other websites targeted in a similar manner.
Facebook is among the world's largest social networking platforms, with over 2.96 billion monthly active users. In our recent research, it has come to light that several potentially high-follower Facebook pages have been compromised and hijacked to spread malware at an unprecedented pace. It can be understood using this simple illustration.
After taking over a Facebook account or page, the threat actors modify the profile information to make it appear as if it is an authentic ChatGPT page. This involves using the username "ChatGPT OpenAI" and setting the ChatGPT image as the profile picture. These accounts are then used to run Facebook ads offering links to the “latest version of ChatGPT, GPT- V4” which, when downloaded, deploys a stealer malware into the victim’s device. (For more information please refer to the Appendix section)
Information from OSINT
The circulated malware is capable of stealing sensitive information from the user’s device, including but not limited to PII, system information, credit card details, etc. The malware also has replication capabilities, which makes it easier to spread across systems through the means of removable media.
Additionally, the malware can escalate privileges and has persistent mechanisms that enable it to remain on the system and gain further leverage. Upon running the malware through VirusTotal it was found to be flagged “malicious” by 9 out of 61 security vendors.
Analysis of the Compromised Facebook Accounts
Our investigation has revealed the presence of 13 Facebook pages/accounts (totaling over 500K followers) that have been compromised and are being used to disseminate the malware via Facebook ads. The oldest instance of such a hijacking, as identified by our researcher, dates back to 13 February 2023 and pertains to a page with over 23K followers. Furthermore, we have observed that the actors also targeted newly created accounts, some of which were as young as 0 days old. (Refer to the complete list of compromised accounts analyzed for more details)
Upon conducting a deeper analysis of the Facebook pages, we observed several noteworthy findings. Despite the original pages catering to diverse nationalities across various countries, a majority of the compromised Facebook accounts were being managed by individuals hailing from Vietnam, the Philippines, Brazil, Pakistan, and Mexico. Threat actors from Vietnam and the Philippines exhibited the highest incidence of compromised accounts among the aforementioned countries.
Another interesting observation arising from our analysis is the repeated use of a specific video (which was originally posted on this YouTuber's channel) to attract and engage the audience across the majority of the compromised accounts. This pattern suggests that this campaign, of deploying malware via Facebook ads, is most likely the activity of a distinct group of threat actors or an individual threat actor.
Hosting Malware on Legitimate Platforms
Our observations have led us to discover that threat actors are resorting to the use of legitimate websites as hosts for malware. Some of the most common platforms that have been exploited in this manner include Google Drive, Trello, and individual websites. This trend is not new but presents a significant challenge to the security community as it is often difficult to dissociate legitimate sites from the malicious content hosted on them.
Information from Trello
A closer look at the Trello cards has yielded an intriguing finding that deserves attention. The status names that are being utilized, such as Cần làm (To do), Đang làm (Doing), and Đã xong (Done), are written in Vietnamese. This observation could provide valuable insights into the origins and motives of the threat actors who are leveraging Trello as a platform for disseminating malware.
The Trello account responsible for the distribution of the malware is registered under the name "Tony." This account has been active since March 15, 2023, with the most recent card update occurring on March 18, 2023. It is noteworthy that most of the Facebook ads in circulation contain a link to this Trello account, suggesting that the threat actors have been using this specific card to disseminate the malware.
(For more information please refer to the Appendix section)
The tables below contain details of the threat actors and the Trello cards used by them to disseminate malware.
Threat Actors Trello Profiles
Malware Distributing Domains
Information from Individual Websites
Our research uncovered at least 25 individual websites that have been engaging in the nefarious practice of impersonating the OpenAI.com website. These malicious sites are duping individuals into downloading and installing harmful software, posing a severe risk to their security and privacy. (For more information please refer to the Appendix section)
Other Websites on Radar
During the course of our investigation, we discovered several counterfeit software applications, advertised alongside the malicious ChatGPT software, on the same Trello cards. These applications may currently be in use for various nefarious purposes, including but not limited to, fraudulent Facebook advertising. The list of targeted software* uncovered by CloudSEK includes the following:
- Semrush: A platform for keyword research and online ranking data.
- SMIT: A social media advertising tool for marketing experts
- Evoto: An AI photo editing software.
- OBS Studio: A free and open-source screencasting and streaming app
- Photo Editors
*Note: All the compromised companies mentioned in the report are legitimate and are not responsible in any way for threat actors imitating or abusing them or their brand name. Additionally, some companies even have a disclaimer that explicitly warns users against sharing credit card details and other sensitive information.
List of Compromised Facebook Accounts Analyzed
References & Attributions
- Threat Actors Abuse AI-Generated Youtube Videos to Spread Stealer Malware | CloudSEK
- Hacker Customizable Semi Flat Illustrations | Pana Style
- 16,190 Users Icons - Free in SVG, PNG, ICO - IconScout
- Icon used in infographic
- Icon used in infographic