Cybercriminals have found a new way to exploit the growing popularity of generative AI technology by using a fake ChatGPT application to spread the PipeMagic Trojan, according to cybersecurity experts.
This development, exposed by Kaspersky’s Global Research and Analysis Team (GReAT), shows a spread of cyberattacks, now targeting organisations in Saudi Arabia after previously focusing on entities across Asia.
Kaspersky researchers warn that once installed, the malicious software acts as a backdoor, granting attackers full access to compromised systems and allowing them to extract sensitive data. The Trojan also serves as a gateway for introducing other types of malware across corporate networks.
The PipeMagic backdoor, a type of malware first detected by Kaspersky in 2022, has evolved. While initially found to be attacking entities in Asia, the Trojan is now being deployed via a fake ChatGPT app written in the Rust programming language.
Kaspersky researchers warn that once installed, the malicious software acts as a backdoor, granting attackers full access to compromised systems and allowing them to extract sensitive data. The Trojan also serves as a gateway for introducing other types of malware across corporate networks.
How the fake ChatGPT works
The fake ChatGPT application appears to be a legitimate tool but is actually designed to deceive users. According to Kaspersky experts, the fake application contains several common libraries used in other Rust-based programs, making it harder to detect. When users open the app, they are greeted with a blank screen, while in the background, the malware initiates its attack by hiding an encrypted payload—essentially a package of malicious code.
In its second stage, the malware manipulates Windows API functions to gain deeper access into the system. According to Kaspersky, by running a series of commands, the malware loads the PipeMagic backdoor, allowing the attackers to control the infected device remotely.
One of PipeMagic’s distinct features is its use of a “named pipe” for communication. In simpler terms, a named pipe is a method that allows different parts of a computer system to send information back and forth. The Trojan generates a 16-byte random array to create a specific named pipe, through which it receives encoded commands and payloads from the attackers. Kaspersky researchers found that these commands are typically sent from a control server hosted on Microsoft Azure.
“Cybercriminals are constantly evolving their strategies to reach more prolific victims and broaden their presence, as demonstrated by the PipeMagic Trojan’s recent expansion from Asia to Saudi Arabia,” Sergey Lozhkin, Principal Security Researcher at Kaspersky’s GReAT, says. He adds that given its advanced capabilities, PipeMagic is likely to be used in more attacks.
To mitigate this, Kaspersky advises organisations and individuals to be extra cautious when downloading software, particularly from third-party sites. It is essential to stick to official platforms when obtaining software to reduce the risk of accidentally downloading malicious apps.
To further safeguard against such threats, Kaspersky recommends several steps, including providing cybersecurity teams with up-to-date threat intelligence, training staff on identifying phishing attacks, and investing in advanced security solutions like Endpoint Detection and Response (EDR) tools. These solutions help organizations detect and respond to threats quickly, reducing the potential damage.
What you should know about PipeMagic and ChatGPT
PipeMagic is part of a broader class of malware known as Trojans. A Trojan, in cybersecurity, refers to a type of malicious software disguised as legitimate software. Once executed by these cybercriminals, it can perform various harmful activities, including stealing data, spying on users, or, as in this case, providing remote access to the attackers.
ChatGPT, developed by OpenAI, is a conversational AI tool that has gained massive popularity for its ability to generate human-like text responses. Its widespread use has made it a prime target for scammers, who now use the tool’s reputation to trick users into downloading fake versions of the app and potentially steal sensitive data.
Home