August 8, 2023
Recently, a group of researchers at Nexusguard uncovered a malicious software campaign that disguised itself as a PC-based rendition of ChatGPT, an artificial intelligence ChatBot created by OpenAI utilizing the Generative Pre-trained Transformer (GPT) series of large language models (LLMs).
A similar campaign has since resurfaced on Facebook, this time utilizing Google's Bard AI. Bard is basically an AI Chatbot developed by Google, based on Google's Large language model (LLM), LaMDA, similar to how ChatGPT is based on GPT. These are types of neural networks that mimic the underlying architecture of the brain in the form of a computer.
On June 18, 2023, our team of researchers discovered a Facebook Ad showing an Image of Google Bard. The advertisement was posted by a fake Google AI Facebook page which currently has 233,000 likes and 243,000 followers (Figure 1).
According to the page transparency feature, the page was created on April 20, 2012 under the old name page Plasma University (Figure 2).
The Facebook advertisement posted by the Fake Bard AI Facebook page contained a link, which when clicked, redirected visitors to a fake Google Bard website. The website also provided a link to download a file and an access code (Figure 3).
Upon clicking the link, a RAR archive named "Google Ai Setup.rar" was acquired, containing an enclosed MSI installer named "Google Ai Setup.msi".
Uploading the downloaded MSI file to VirusTotal revealed that 27 out of 60 security vendors flagged it as malicious (Figure 5).
To further understand the malware, our team performed dynamic analysis which involved executing the malware in a virtualized environment (Figure 6).
Various files were deposited by the malware into “%ProgramFiles(x86)%\Google\Google Ai” on the infected machine, subsequently leading to the execution of cmd.exe with the ensuing parameters: cmd.exe /c ""C:\Program Files (x86)\Google\Google Ai\ggbard.bat""
Upon closer inspection, it was discovered that ggbard.bat comprised a sequence of directives intended to terminate both chrome.exe and chromedriver.exe processes, followed by the execution of Chrome and the loading of the malevolent extension (Figure 7).
The goal of the malware was to install a malicious extension on Google Chrome which masqueraded itself as a legitimate Google Translate extension.
We made an inference that the background.js file contained a malicious payload based on the fact that its code was deliberately obfuscated, implying a deliberate attempt to conceal its true intent.
Obfuscated version: https://pastebin.com/K1yNH0Yh
De-obfuscated version: https://pastebin.com/YecRwVZA
Through our team’s detailed analysis, it was determined that the script was designed to gather Facebook cookies (lines 5-20) and Facebook ad manager access tokens (lines 27-43), which were subsequently transmitted via Google Analytics (lines 1-4).
Line 14 reveals the presence of the Google Analytics 'tid' UA-244663376-1, which serves to designate the tracking ID and the property ID of the Google Analytics property where the data will be dispatched. This particular method of exfiltration is employed to bypass traditional Content Security Policy (CSP) mechanisms, and has been utilized in multiple "Magecart" attacks in 2020 for the purpose of stealing credit card information.
In summary, our investigation underscores the manner in which cyber threat actors are utilizing social engineering tactics to exploit the trust that users place in widely-used social networking platforms. It is imperative that users comprehend that a service's apparent legitimacy does not always guarantee its authenticity. Given the increasing sophistication of cybercriminal tactics, it is vital for users to remain vigilant, keep abreast of the latest developments, and take proactive measures to safeguard their personal information and online identity.
Nexusguard not only procures threat intelligence by gathering and scrutinizing data pertaining to the latest malware perils, but also furnishes solutions for web and network application security that can discern and obstruct malware traffic - even those that are aimed at Facebook ads - thereby enabling organizations to maintain a competitive edge and anticipate emerging attack methodologies before they proliferate. To gain unbroken visibility into your cyber risk profile, visit Nexusguard for more information.
