Kaspersky has discovered how cybercriminals are using a fake ChatGPT application to deploy a backdoor and spread malware. The cybersecurity solutions provider also noted that the attackers have shifted their targets from Asia (2022) to Saudi Arabia (2024).
According to Kaspersky, the malicious campaign involves the PipeMagic Trojan, a plugin-based trojan that operates as a gateway to launch attacks and penetrate corporate networks.
“Cybercriminals are constantly evolving their strategies to reach more prolific victims and broaden their presence, as demonstrated by the PipeMagic Trojan’s recent expansion from Asia to Saudi Arabia,” said Sergey Lozhkin, a security researcher at Kaspersky’s GReAT, in a media advisory. “Given its capabilities, we expect to see an increase in attacks leveraging this backdoor.”
One of the unique features of PipeMagic is that it generates a 16-byte random array to create a named pipe in the format \.\pipe\1.<hex string>. It spawns a thread that continuously creates this pipe, reads data from it, and then destroys it. This pipe is used to receive encoded payloads and stop signals via the default local interface. PipeMagic usually operates with multiple plugins downloaded from a command-and-control (C2) server, which, in this case, was hosted on Microsoft Azure.
Kaspersky explained how the fake ChatGPT application was built using the Rust programming language and operated in stages.
“At first glance, it appears legitimate, containing several common Rust libraries used in many other Rust-based applications,” the company said. “However, when executed, the application displays a blank screen with no visible interface and hides a 105,615-byte array of encrypted data, which is the malicious payload.”
Once deployed, the malware proceeds to search for key Windows API functions by searching the corresponding memory offsets using a name-hashing algorithm.
“It then allocates memory, loads the PipeMagic backdoor, adjusts the necessary settings, and executes the malware,” Kaspersky explained.