Attackers Hide RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads

Cybercriminals are posting what appear to be legitimate sponsored ads on hijacked Facebook business and community pages, which promise free downloads of AI chatbots such as ChatGPT and Google Bard. Instead, users download the well-known, info-stealing malware called RedLine Stealer, the researchers have found.

RedLine Stealer is a malware-as-a-service (MaaS) platform sold via online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment-card details, as well as taking a system inventory to assess the attack surface for performing further attacks. It also can perform other malicious functions besides just info stealing, such as uploading and downloading files, and executing commands. This gives attackers, even with limited sophistication, various options for performing a range of cyberattacks, researchers at Veriti said.

They spotted the recent campaign in January, which aims to take advantage of the growing popularity of emerging AI platforms, according to a report published April 11. The researchers then followed the campaign through its peak in March.

"These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files," Veriti researchers wrote in the report. "However, once the user downloads and extracts the file, the RedLine Stealer malware is activated and can steal passwords and download further malware onto the user's device."

The commodity malware is an inspired choice for the campaign considering it costs only $100 to $150 to buy it on the Dark Web, which gives attackers a significant return on investment (ROI) for their cybercriminal activity, the researchers said.

"In addition, by exploiting Facebook business accounts and their exposed passwords, the attackers were able to target a vast number of users and potentially gain access to sensitive information at a relatively low cost," the Veriti research team tells Dark Reading.

Dangers of Trojanized AI Apps 

Soon after the AI-based chatbot ChatGPT came on the scene in November, the chatter began about the various ways attackers can exploit it for malicious purposes. While some believe that this threat is being overhyped, the RedLine campaign could be a sign of more related attacks on the horizon.

Rather than taking advantage of AI-based capabilities of the chatbots themselves, the attackers here take advantage of recent developments in the ability to package the AI in various forms, opening the door for creating trojanized downloads. 

"One of the most concerning risks associated with generative AI platforms is the ability to package the AI in a file (e.g., as mobile applications or as open source), which creates the perfect excuse for malicious actors to trick naïve downloaders," the researchers explained. 

The attackers in this case package RedLine Stealer into an OpenAI or Google Bard downloadable file, leading unsuspecting users to download the malware instead of the promised AI app that lured them to click on the post, the researchers said.

"The potential impact of such attacks is significant, as hackers could steal confidential data, compromise financial accounts, or even disrupt critical infrastructure," they wrote in the report. "Moreover, these attacks are becoming more sophisticated, making detecting and preventing them harder."

Dozens of Facebook business accounts in at least 10 countries already have been hijacked for the purpose of distributing RedLine Stealer through the malicious posts, the researchers said. Greece is the country where attackers reach the highest number of Facebook users, followed by India, the US, Mexico, and Bangladesh, according to the report.

However, the bulk of the campaign's "top attacks" took place in the US, where 77% of them occurred, according to the report. The country with the next-highest percentage of top attacks was Canada, with 9%, followed by Mexico (6%), India (4%), and Portugal (2%).

Protecting the Enterprise From Malicious Downloads

Veriti recommends a "comprehensive approach to cybersecurity" that includes educating employees on the risk of downloading and opening files from unknown sources, alongside "robust security configurations" to help avoid compromising enterprise systems if users inadvertently install an infostealer, such as Redline, on a corporate desktop.

One of the first steps organizations can take is to limit the download of executables and enforce strict policies that require sandboxing every executable before it is downloaded, the researchers said. "This can significantly reduce the risk of malicious files infecting a system," they tell Dark Reading.

Additionally, disabling data exfiltration can prevent attackers from stealing sensitive information, while enabling anti-malware can detect and remove malicious files before they can cause any damage, the researchers said.

However, researchers note that any measures to educate employees or set policies around files downloaded from the Internet "should complement an organization's existing cybersecurity protections, such as firewalls, intrusion detection and prevention systems, and regular security updates."

The team adds, "Organizations can significantly reduce the likelihood of a successful attack by implementing these best practices and educating employees on the risks."