A fake version of ChatGPT invades Saudi Arabia and the Arab region, and Kaspersky warns!
A fake version of ChatGPT invades Saudi Arabia and the Arab region, and Kaspersky warns!

A fake version of ChatGPT invades Saudi Arabia and the Arab region, and Kaspersky warns!

The Global Research and Analysis Team (GReAT) at Kaspersky has uncovered a new malicious cyber campaign targeting companies in the Kingdom of Saudi Arabia, involving a Trojan horse malware known as PipeMagic. The attackers use a fake version of the ChatGPT application as bait to lure victims.

How?!

A backdoor is deployed that extracts sensitive data and enables them full remote access to the compromised devices. This malware also acts as a gateway, allowing additional malware to enter and carrying out further attacks across the company network.

The PipeMagic backdoor malware works by using a fake version of the ChatGPT application built with the Rust programming language. When the application is launched, it generally appears as a normal application containing common Rust libraries. However, upon execution, the application displays a blank screen with no visible interface, while behind the scenes it carries 105,615 bytes of encrypted data that in reality contains malware.

PipeMagic also functions as a backdoor or gateway, allowing attackers full remote access to targeted devices. This malware was first discovered in 2022, when it was targeting entities in Asia, and most recently in September 2024, Kaspersky spotted it targeting organizations within the Kingdom of Saudi Arabia.

Then

In the second stage, the PipeMagic malware begins searching for key functions in the Windows API. It does this by monitoring memory changes and validating them using a name-hashing algorithm. After that, it allocates memory resources, loads the PipeMagic backdoor, configures the necessary settings, and executes the malicious code.

PipeMagic has a unique feature, which is its ability to generate a random 16-byte stream to create a named pipe in the format (\. \pipe\1.<hex string>), and it creates a thread that keeps creating this pipe repeatedly, where data is read from it and then it is destroyed.

This pipe is used to receive encrypted payloads and stop signals via the default local interface. In general, the PipeMagic malware works with several plugins downloaded from a command-and-control (C2) server, and this time the server was hosted on the Microsoft Azure cloud.

What do they want:

In this campaign, the attackers aim to achieve specific goals including:Stealing sensitive data: They aim to obtain sensitive information such as financial data and personal data of individuals or organizations in order to exploit it in illegitimate ways.
Spying on company activities: By taking control of compromised devices, attackers can spy on the activities of companies and organizations with the aim of obtaining sensitive information or carrying out sabotage activities.
Sabotaging systems: They also aim to disable or damage systems by introducing other malicious software, which may cause operations to fail or services to be disrupted.
Sergey Lozhkin noted that cybercriminals are constantly developing their strategies to increase the number of victims and expand the scope of their operations. With the expansion of the PipeMagic malware and its capabilities, he expects the number of attacks using this backdoor to increase in the future.Details of the attack that took place:
  • Using ChatGPT as bait: Using a fake version of ChatGPT as bait is a new and innovative strategy by the attackers. They exploit the trust this application has gained among users, which increases the likelihood of downloading the malicious program.
  • The PipeMagic malware: This malicious software plays a pivotal role in the attack. It installs a backdoor on the targeted device, allowing attackers full access to the system and remote control over it.
  • Data theft: The malware aims to steal sensitive company data, such as financial information and customers' personal data, which can be used in extortion operations or sold on the black market.
  • Remote access: The backdoor grants attackers remote access to the compromised devices, allowing them to control the system and install additional malware.
  • Expanding the scope of the attack: Attackers can use the compromised devices as a launching point to carry out additional attacks on other devices within the network, increasing the scale of losses.

The potential repercussions of these attacks:

  • Financial losses: These attacks may cause significant financial losses for the affected companies as a result of data theft or disruption of operational processes.
  • Damage to company reputation: Leaking sensitive data may lead to the deterioration of the company's reputation and loss of customer trust.
  • Impact on operational processes: These attacks can disrupt the company's operational processes, affecting its productivity and efficiency.
  • Growing cyber threats: This attack points to the growing cyber threats facing companies and organizations in the Kingdom of Saudi Arabia.

Our recommendations:

  • Raising awareness of the importance of cybersecurity: Companies must educate their employees about the importance of cybersecurity and how to handle suspicious emails and untrusted links.
  • Updating protection systems: Companies must regularly update antivirus software and firewalls, and apply the latest security patches.
  • Keeping data backups: Companies must keep regular backups of their sensitive data and store them in a safe place.
  • Incident response training: Employees must be trained on how to respond to security incidents and report them immediately.

Also:

The PipeMagic attack is a clear example of the growing threats facing companies in today's world. Companies must take all necessary precautions to protect their systems and their data from these attacks.

Our notes on the topic:

And here, my dear friend, we have successfully completed the mission ✌

Do not forget your brothers in Palestine in your prayers

With regards from the #Ezznology team

Find what interests you on 👈#our store

 

And you can become a member of our family by joining the Telegram group from👈here

Or the Facebook group from👈here

To subscribe to our newsletter on Google News, click here✌👇

Ezznology-on-Google-news

Or scan the code

Ezznology on Google news
Ezznology on Google news

 

Others were also interested in:

Learn how to sell an idea!!

What we learned today from the CrowdStrike incident and the Windows system outage

Learn e-commerce from scratch to earn money online

Apple's warning to users in 98 countries about spyware

Aramex company branches in Egypt

Tags: chatgpt cyber Security Google Network تنبيهات امنية
م

Ezznology عز التقنية

Writer at Ezznology عز التقنية — sharing the best tech articles and tutorials.

0 ratings

Rate this article

💬 Comments 0

💬

No comments yet — be the first to comment!

✏️ Leave a Comment