ChatGPT has harnessed huge popularity since its inception back in November 2022. Unfortunately, cybercriminals preyed on that and started creating fake versions of the platform to spread malware among users. Now, this popularity is utilized once more in the form of an info-stealer disguised as ChatGPT.
The info-stealer is designed to copy saved credentials from the Google Chrome login data folder. That’s very sensitive data to be harvested, which brings us to these questions.
What is this campaign all about? Does ChatGPT have a Windows client? What data can the stealer siphon from an infected device? We’ve answered everything in the following article.
Another Fake ChatGPT Client, Another Real Threat
ChatGPT reached over 1 million users in its first week of launch. This shows how popular OpenAI’s platform has become over the past few months.
With that much demand, users have desired a ChatGPT application, and sadly, that didn’t happen (Officially). Instead, threat actors started releasing fake ones to trick those who were eager for them.
Unfortunately, they’re falling for the scheme with ease. It happened a while back, and it’s happening again. Bogus versions with remarkably similar UI are taking over the internet.
In this particular campaign, users will stumble upon fake pages promoting a ChatGPT application for Windows. However, when the file is downloaded, a ChatGPT isn’t what they’ll be getting.
Instead, running the zip archive carrying a file named ChatGPT For Windows Setup 1.0.0.exe will initiate the malware’s operation.
The main function of the malware is to use Havelock (a dangerous tool used to decrypt accounts, harvest cookies, and siphon history from Chromium-based web browsers) and steal Chrome login data. Here’s what Trend Micro had to say in a tweet:
“The client connects to various domains such as http://api.telegram.org, http://facebook.com, http://lumtest.com (for querying geoIP location), http://graph.facebook.com (for getting data into and out of the Facebook platform), and http://api.aiforopen.com.”
The report also states that this fake client auto-starts every time the infected device is launched. This process is executed to make sure that the info-stealer is always running, harvesting everything from the Chrome browser in the process.
It doesn’t end here. This particular stealer has elevated obfuscation techniques that allow it to hide its console window and siphon webs session cooks through sqlite3.
No ChatGPT App – Stop Falling for this Trick
Let’s be honest; applications provide a convenient way to access platforms and services, regardless of the device they’re on.
However, if these apps are not offered via the official source, there definitely has to be something shady about them.
ChatGPT, at this time, doesn’t have any dedicated clients. The only way to access the service is through a web browser. Don’t fall victim to such schemes; they’re really easy to figure out.