Fake ChatGPT Desktop Client steals Chrome Login Data (10th May 2023)

Ref# AL2023_28 | Date: May 10th 2023

Description  

It has been discovered that an infostealer is mimicking a ChatGPT Windows desktop client that has the capabilities of copying saved credentials from the Google Chrome login data folder. 

Details 

When users attempt to download and install the fake ChatGPT Windows client it is an infostealer that is being distributed via a zip archive disguising itself as ChatGPT for Windows Setup 1.0.0.exe.  

During the installation process, the malware runs in the background and begins extracting Chrome login data usingHavelock. Havelock extracts and decrypts accounts, cookies, and history from web browsers based on Chromium. Havelock was initially developed as part of a remote administration tool for harvesting accounts from a computer and sending them to a remote endpoint securely. It is now available as an API (Application Programming Interface) in JavaScript and a standalone CLI (Command Line Interface). The fake ChatGPT client then creates an AutoStart entry in the registry to ensure that the infostealer runs every time the infected machine starts up. It can hide its console window and extract web session cookies via sqlite3.  

The client connects to various domains such as http://api.telegram.org, http://facebook.com, http://lumtest.com (for querying geoIP location), http://graph.facebook.com (for getting data into and out of the Facebook platform), and http://api.aiforopen.com. The extracted data is then exfiltrated via the multi-platform messaging service known as Telegram.  

Users have expressed great interest in a ChatGPT application for both desktops and mobile devices. Cyber criminals have taken this opportunity to deliver different types of malwares such as malicious payloads to hijack and control Facebook Business accounts.  

Remediation 

It is advised to avoid downloading from untrusted or unauthorized sources. ChatGPT does not have an official desktop client or mobile application thus such claims must be treated with caution.  

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.   

PDF Download: Fake ChatGPT Desktop Client steals Chrome Login Data.pdf

References