BatLoader campaign fosters false ChatGPT downloads
eSentire Threat Response Unit (TRU) experts have discovered an ongoing BatLoader campaign that uses Google Search Ads to drive unwary consumers to fake web pages touting AI-based services such as ChatGPT and Midjourney.
The operation aims to capitalize on the popularity of these AI services, which lacked independent applications until ChatGPT’s iOS app was released lately. As a result, threat actors have discovered a way to deceive consumers by diverting them to false websites that promote counterfeit programs.
To deploy the Redline Stealer, the attackers used BatLoader disguised as MSIX Windows App Installer packages. Victims who searched for “chatbpt” on Google were routed to a bogus ChatGPT download page located on hxxps://pcmartusa[.]com/gpt/. Unbeknownst to these visitors, they were tricked into installing a bogus Windows ChatGPT software by clicking a button on the landing page that sent them to a BatLoader Payload site instead of beginning the download.
The researchers noticed that the Chat-GPT-x64.msix installation was downloaded from the domain job-lionserver[.]site. Notably, the installer was digitally signed by ASHANA GLOBAL LTD, indicating a genuine effort. Furthermore, the final package was created by a Russian speaker using Advanced Installer version 20.2 with a professional license.
When experts examined the package in AdvancedInstaller, they discovered that when it was executed, it would launch both an executable file called ChatGPT.exe and a PowerShell script called Chat.ps1. The installer was also created to use the ChatGPT logo and to target certain Windows desktop versions spanning from the October 2018 Update – 1809 to the October 2022 Update – 22H2.
The Windows App Installer wizard starts the installation process when you execute the installer file. Instead of downloading a legal program, the installer downloads and runs the RedLine Stealer from a remote server. This deceitful strategy attempts to fool users into thinking they have successfully installed a real ChatGPT program. As part of the hoax, a popup window with the actual ChatGPT web page integrated within a browser window is presented.
The entire scope of the executable’s functioning is yet to be established.
The sources for this piece include an article in InfoSecurityMagazine.