Recently, cybersecurity firm Kaspersky released a survey report revealing how cybercriminals are exploiting a fake ChatGPT application to carry out backdoor attacks and spread malware. Notably, these attackers have shifted their targets from Asia in 2022 to Saudi Arabia in 2024, indicating that their attack strategies are continuously evolving.

Hacker Network Attack (2)

Image source note: The image is AI-generated and provided by the image licensing service Midjourney

Kaspersky's research indicates that this malicious activity involves a trojan virus known as PipeMagic. PipeMagic is a plug-in type of trojan that serves as a "gateway" for deep penetration into corporate networks. According to Kaspersky's security researcher Sergey Lozhkin, cybercriminals are continuously evolving their strategies to gain more victims and expand their influence. "As the PipeMagic trojan extends from Asia to Saudi Arabia, we anticipate an increase in attacks using this backdoor."

A unique feature of PipeMagic is its ability to generate a 16-byte random array to create named pipes, formatted as \\.\pipe\1.. It generates a thread that continuously creates this pipe, reads data, and eventually destroys it. This pipe is used to receive encoded payloads and stop signals, and PipeMagic typically operates with multiple plug-ins downloaded from command and control (C2) servers, which in this case happen to be hosted on Microsoft's Azure platform.

Technically, Kaspersky explained how this fake ChatGPT application was constructed. It uses the Rust programming language and operates in stages. At first glance, the application appears legitimate, containing many libraries common in other Rust applications. However, when executed, the screen shows a blank, with no visible interface, hiding a 105,615-byte encrypted data array, which is the malicious payload.

Once this malware is deployed, it begins searching for key Windows API functions, using a name hashing algorithm through corresponding memory offsets. It then allocates memory, loads the PipeMagic backdoor, adjusts necessary settings, and finally executes the malware.

Key points:

- 🦠 Kaspersky discovers hackers using fake ChatGPT application to spread PipeMagic trojan.

- 🌍 Attack targets shift from Asia in 2022 to Saudi Arabia in 2024, showing an upgrade in cybercriminals' strategies.

- 🔍 PipeMagic utilizes named pipes and plug-in technology for deep penetration into corporate networks for malicious attacks.