• admin
• March 1, 2023
• 12 Comments

Foreward

As an AI language model, ChatGPT itself does not engage in phishing activities. However, it is possible for attackers to use ChatGPT or other similar language models to create more convincing phishing messages.

ChatGPT-based phishing typically involves using a language model to generate messages that appear to be from a trusted source, such as a bank, social media platform, or online retailer. The messages may contain links to fake websites that are designed to look like the real thing, and may prompt the user to enter their login credentials, credit card information, or other sensitive data.

To protect yourself from ChatGPT-based phishing and other types of phishing attacks, it is important to be wary of any unsolicited messages that ask you to click on links or provide personal information. Look for signs that the message may be fake, such as typos, strange formatting, or requests for information that the legitimate sender would not normally ask for. Additionally, always verify the legitimacy of the message or website by contacting the sender directly or by typing the URL directly into your browser instead of clicking on a link in the message.

ChatGPT Phishing Methods

In recent months, we have seen an increase in phishing methods that use ChatGPT to create convincing messages that trick users into divulging sensitive information or clicking on malicious links.

One such method involves using ChatGPT to generate personalized phishing emails that appear to be from a trusted source, such as a bank or an employer. Attackers can use information gathered from social media or other sources to make the message appear more authentic and increase the likelihood that the recipient will fall for the scam.

Another method involves using ChatGPT to create convincing chatbot scripts that are used in phishing attacks. The chatbot appears to be a customer service representative or other trusted individual, and the user is prompted to enter sensitive information or click on a link that leads to a malicious website.

To make matters worse, ChatGPT can also be used to generate convincing deepfake videos or audio recordings that can be used to further trick users into divulging sensitive information. For example, an attacker could use ChatGPT to create a video or audio clip of a trusted individual, such as a CEO or government official, giving a convincing speech or directive that convinces the victim to take action.

While the use of ChatGPT in phishing attacks is concerning, there are steps that can be taken to protect against these types of attacks. One effective approach is to educate users on how to identify and avoid phishing attempts. This includes looking for telltale signs, such as misspellings, suspicious URLs, or requests for sensitive information. Additionally, organizations can implement technologies that can detect and block suspicious emails or chatbot interactions.

One important consideration when it comes to ChatGPT-based phishing methods is the fact that these attacks are often highly personalized and targeted. Attackers may use social engineering tactics to gather information about the victim, such as their name, job title, or even their location, which can be used to create more convincing messages. Additionally, attackers may use ChatGPT to generate responses that appear to be from a trusted individual, such as a friend or colleague, which can further increase the likelihood that the victim will fall for the scam.

Another important factor to consider is the role that artificial intelligence and machine learning can play in detecting and preventing these types of attacks. As ChatGPT and other language models become more sophisticated, it may be possible to use these technologies to detect suspicious messages or interactions based on their language or behavior. Additionally, machine learning algorithms can be used to analyze patterns in phishing attacks and identify new or emerging threats.

However, it’s important to note that there are also risks associated with using AI and machine learning in cybersecurity. For example, attackers could potentially use these technologies to create more sophisticated and convincing phishing attacks, making it more difficult for traditional detection methods to identify and block them.

Overall, the rise of ChatGPT-based phishing methods highlights the need for a multi-faceted approach to cybersecurity that includes both education and technology. By staying vigilant and learning how to identify and avoid phishing attacks, individuals can play an important role in protecting themselves and their organizations from these types of threats. At the same time, advancements in AI and machine learning can help to detect and prevent these attacks before they can cause harm.

Scenario

One such method could be as follows:

1. Set up a simulated openai chatgpt-based chatbot that mimics the appearance and behavior of the real openai chatgpt-based chatbot.

2. Create a simulated email or other communication to employees, inviting them to try out the openai chatgpt-based chatbot for work-related purposes.
3. When employees interact with the simulated chatbot, provide them with realistic phishing scenarios, such as requests for login credentials, personal information, or other sensitive data.
4. After employees interact with the chatbot, provide them with immediate feedback on whether their responses were correct or incorrect.
5. Follow up with additional training and education for employees who fell for the simulated phishing attacks, to help them improve their awareness and understanding of phishing tactics.

It is important to prioritize ethical and legal considerations when it comes to cybersecurity and to promote safe and responsible technology use. Organizations should focus on using ethical and legal methods of conducting simulated phishing campaigns, such as using pre-built platforms or working with professional security companies that specialize in such activities.

IOCs

No	Type	Indicator
1	domain	https://openai-pc-pro.online/
2	domain	chat-gpt-pc.online
3	domain	https://chat-gpt-online-pc.com/
4	domain	http://chatgpt-go.online/clip.exe
5	FileHash-SHA256	d1b1813f7975b7117931477571a2476decff41f124b84cc7a2074dd00b5eba7c
6	FileHash-SHA256	ae4d01a50294c9e6f555fe294aa537d7671fed9bc06450e6e2198021431003f9
7	FileHash-SHA256	60e0279b7cff89ec8bc1c892244989d73f45c6fcc3e432eaca5ae113f71f38c5
8	FileHash-SHA256	53ab0aecf4f91a7ce0c391cc6507f79f669bac033c7b3be2517406426f7f37f0
9	FileHash-SHA256	46200951190736e19be7bcc9c0f97316628acce43fcf5b370faa450e74c5921e
10	FileHash-SHA256	3ec772d082aa20f4ff5cf01e0d1cac38b4f647ceb79fdd3ffd1aca455ae8f60b
11	FileHash-SHA256	34b88f680f93385494129bfe3188ce7a0f5934abed4bf6b8e9e78cf491b53727
12	FileHash-SHA1	f1a5a1187624fcf1a5804b9a15a4734d9da5aaf6
13	FileHash-SHA1	cebddeb999f4809cf7fd7186e20dc0cc8b88689d
14	FileHash-SHA1	c57a3bcf3f71ee1afc1a08c3a5e731df6363c047
15	FileHash-SHA1	afa741309997ac04a63b4dd9afa9490b6c6235c1
16	FileHash-SHA1	aeb646eeb4205f55f5ba983b1810afb560265091
17	FileHash-SHA1	23f50f990d4533491a76ba619c996b9213d25b49
18	FileHash-SHA1	189a16b466bbebba57701109e92e285c2909e8a2
19	FileHash-MD5	c8aa7a66e87a23e16ecacad6d1337dc4
20	FileHash-MD5	94e3791e3ceec63a17ca1a52c4a35089
21	FileHash-MD5	81e6a150d459642f2f3641c5a4621441
22	FileHash-MD5	6a481f28affc30aef0d3ec6914d239e4
23	FileHash-MD5	5f6f387edf4dc4382f9953bd57fa4c62
24	FileHash-MD5	4e8d09ca0543a48f649fce72483777f0
25	FileHash-MD5	174539797080a9bcbb3f32c5865700bf
26	url	https://openai-pc-pro.online/
27	url	https://chatgpt-go.online/
28	url	https://chat-gpt-online-pc.com/
29	domain	https://chatgpt-go.online/
30	url	http://chatgpt-go.online/java.exe

Rules

Sigma rule that could be used to detect network activity associated with the given indicators:

title: Suspicious Chatgpt description: Detects suspicious network activity associated with known malicious domains and URLsstatus: experimentalreferences:    – https://openai-pc-pro.online/    – https://chat-gpt-online-pc.com/    – https://chatgpt-go.online/    – http://chatgpt-go.online/clip.exe    – https://openai-pc-pro.online/    – https://chatgpt-go.online/    – https://chat-gpt-online-pc.com/    – https://chatgpt-go.online/    – http://chatgpt-go.online/java.exe detection:    selection:        source.ip:            – 192.168.0.0/16            – 172.16.0.0/12            – 10.0.0.0/8    condition: >        (url.domain in (‘openai-pc-pro.online’, ‘chat-gpt-pc.online’, ‘chat-gpt-online-pc.com’, ‘chatgpt-go.online’) or        url.path contains ‘clip.exe’ or url.path contains ‘java.exe’) and        (url in (‘https://openai-pc-pro.online/’, ‘https://chatgpt-go.online/’, ‘https://chat-gpt-online-pc.com/’, ‘https://chatgpt-go.online/’) or        url.scheme == ‘http’ and url.path contains ‘clip.exe’ or url.path contains ‘java.exe’)    fields:        – url        – source.ip        – destination.ip        – event.action        – event.dataset    falsepositives:        – Legitimate network traffic    level: high

This rule looks for network activity that matches the specified indicators, including suspicious URLs and file paths. It also restricts the source IP addresses to internal network ranges, to reduce the likelihood of false positives. When triggered, the rule includes relevant metadata such as the URL, source and destination IP addresses, and event type. Finally, the rule includes a list of false positives to help reduce noise and prevent legitimate traffic from triggering alerts.

And detection rule for the provided IOCs with SHA-256 and MD5 hash values:

rule detect_iocs {    meta:        description = “Detects SHA-256 and MD5 hash values”        author = “Your Name”    strings:        $sha256_hash1 = “d1b1813f7975b7117931477571a2476decff41f124b84cc7a2074dd00b5eba7c”        $sha256_hash2 = “ae4d01a50294c9e6f555fe294aa537d7671fed9bc06450e6e2198021431003f9”        $sha256_hash3 = “60e0279b7cff89ec8bc1c892244989d73f45c6fcc3e432eaca5ae113f71f38c5”        $sha256_hash4 = “53ab0aecf4f91a7ce0c391cc6507f79f669bac033c7b3be2517406426f7f37f0”        $sha256_hash5 = “46200951190736e19be7bcc9c0f97316628acce43fcf5b370faa450e74c5921e”        $sha256_hash6 = “3ec772d082aa20f4ff5cf01e0d1cac38b4f647ceb79fdd3ffd1aca455ae8f60b”        $sha256_hash7 = “34b88f680f93385494129bfe3188ce7a0f5934abed4bf6b8e9e78cf491b53727”        $sha256_hash8 = “f1a5a1187624fcf1a5804b9a15a4734d9da5aaf6”        $sha256_hash9 = “cebddeb999f4809cf7fd7186e20dc0cc8b88689d”        $sha256_hash10 = “c57a3bcf3f71ee1afc1a08c3a5e731df6363c047”        $sha256_hash11 = “afa741309997ac04a63b4dd9afa9490b6c6235c1”        $sha256_hash12 = “aeb646eeb4205f55f5ba983b1810afb560265091”        $sha256_hash13 = “23f50f990d4533491a76ba619c996b9213d25b49”        $sha256_hash14 = “189a16b466bbebba57701109e92e285c2909e8a2”        $sha256_hash15 = “c8aa7a66e87a23e16ecacad6d1337dc4”        $sha256_hash16 = “94e3791e3ceec63a17ca1a52c4a35089”        $sha256_hash17 = “81e6a150d459642f2f3641c5a4621441”        $sha256_hash18 = “6a481f28affc30aef0d3ec6914d239e4”        $sha256_hash19 = “5f6f387edf4dc4382f9953bd57fa4c62”        $sha256_hash20 = “4e8d09ca0543a48f649fce72483777f0

Case Studies

Openai-pc-pro.online

In this scenario, the attacker creates a website that appears to be a legitimate company or organization, such as a bank or a government agency. The website is designed to look and feel authentic, with logos, branding, and other elements that are consistent with the targeted organization.

When a user visits the website, they are prompted to enter their login credentials or other sensitive information. However, instead of simply asking the user to input this information, the website incorporates a ChatGPT-powered chatbot that engages the user in conversation.

The chatbot appears to be a customer service representative or other trusted individual, and the user is prompted to enter their information in a more conversational manner. For example, the chatbot may ask the user questions such as “Can you tell me your name and account number so I can verify your identity?” or “Can you confirm your email address so we can send you a password reset link?”

Because the chatbot uses natural language processing and machine learning algorithms to generate responses, it is able to adapt to the user’s responses and create a convincing and personalized interaction. The user may not realize that they are actually talking to a machine, and may be more likely to trust the chatbot and provide their sensitive information.

Once the attacker has obtained the user’s login credentials or other sensitive information, they can use this information to gain access to the user’s accounts or steal their identity.

To protect against this type of attack, it is important for employees to be aware of the risks associated with phishing and to be cautious when entering sensitive information online. Organizations can also implement technologies that can detect and block suspicious websites or chatbot interactions, and can provide training to employees on how to identify and avoid phishing attempts. By working together, we can continue to stay ahead of emerging threats and keep our digital world safe and secure.

Clip[1].exe

PE Import analysis is one of the methods used in malware analysis to identify malicious code within a binary file. It involves examining the imported functions and APIs used by the binary, which can reveal potential malicious activity.

COMCTL32.DLL:

This is a legitimate Windows library that contains functions related to common controls used in graphical user interfaces (GUIs), such as buttons, scrollbars, and menus. It does not typically contain any malicious code.

COMDLG32.DLL:

This is also a legitimate Windows library that contains functions related to common dialog boxes used in GUIs, such as file open and save dialogs. It does not typically contain any malicious code.

GDI32.dll:

This is another legitimate Windows library that contains functions related to graphical device interfaces (GDIs), which are used for drawing graphics on the screen and printing. It does not typically contain any malicious code.

KERNEL32.dll:

This is a core Windows library that contains functions related to memory management, process management, and system-level functions. It is often targeted by malware because it provides access to many system-level functions. Malware may try to abuse functions in this library to carry out malicious activities, such as process injection, file manipulation, and network communication.

msvcrt.dll:

This is a runtime library for Microsoft Visual C++ that provides functions related to memory allocation, input/output operations, and string manipulation. It does not typically contain any malicious code, but malware may abuse functions in this library to carry out malicious activities, such as memory manipulation and file operations.

USER32.dll:

This is a Windows library that contains functions related to user interface and window management. It is often targeted by malware because it provides access to many user interface functions. Malware may try to abuse functions in this library to carry out malicious activities, such as stealing user input, displaying fake error messages, and manipulating windows.

In summary, while COMCTL32.DLL, COMDLG32.DLL, and GDI32.dll are unlikely to contain malicious code, KERNEL32.dll and USER32.dll are commonly targeted by malware due to the system-level and user interface functions they provide. Msvcrt.dll may also be targeted for its memory manipulation and input/output functions. However, the absence of malicious code in these libraries does not necessarily mean that the system is not compromised, as malware may also use other techniques to hide its presence. Therefore, it is important to analyze other aspects of the system, such as network traffic and system logs, to detect and investigate potential malware infections.

Also General overview of some of the functions mentioned and their potential use in malware:

• CreateToolbarEx: creates a toolbar control that can be used to display buttons or other UI elements
• ImageList_Create: creates an image list that can be used to store and display images
• ImageList_Destroy: destroys an image list and frees associated resources
• ImageList_Remove: removes an image from an image list
• ImageList_ReplaceIcon: replaces an image in an image list with an icon
• ImageList_SetBkColor: sets the background color for an image list
• InitCommonControlsEx: initializes the common controls library for the current application
• GetOpenFileNameA: displays a dialog box that allows the user to select a file to open
• GetSaveFileNameA: displays a dialog box that allows the user to select a file to save
• CreateWaitableTimerW: creates a waitable timer object
• DeleteCriticalSection: deletes a critical section object
• EnterCriticalSection: enters a critical section object
• ExitProcess: terminates the current process
• FindClose: closes a search handle created by FindFirstFileA or FindNextFileA
• FindFirstFileA: finds the first file that matches a specified pattern
• FindNextFileA: finds the next file that matches a specified pattern
• FreeConsole: detaches the calling process from its console
• FreeLibrary: frees the loaded DLL module
• GetCommandLineA: retrieves the command-line string for the current process
• GetLastError: retrieves the calling thread’s last-error code value
• GetModuleFileNameA: retrieves the fully qualified path for the specified module
• GetModuleHandleA: retrieves a module handle for the specified module
• GetProcAddress: retrieves the address of an exported function or variable from the specified dynamic-link library (DLL)
• GetStdHandle: retrieves a handle to the specified standard device
• InitializeCriticalSection: initializes a critical section object
• LeaveCriticalSection: releases ownership of a critical section object
• LoadLibraryA: loads the specified DLL module into the address space of the calling process
• SetUnhandledExceptionFilter: sets a new exception filter function
• SetWaitableTimer: sets a waitable timer to a specified time value
• TlsGetValue: retrieves the value in the calling thread’s thread local storage (TLS) slot for the specified TLS index
• VirtualProtect: changes the access protection of the specified memory region
• VirtualQuery: retrieves information about a range of pages within the virtual address space of a specified process

Here are the steps to perform PE Import analysis to identify malware:

1. Open the binary in a disassembler or analysis tool such as IDA Pro or Ghidra.

2. Look for the Import Address Table (IAT) section in the binary, which lists all of the external functions and libraries that the binary calls during execution.
   
3. Identify any suspicious or malicious libraries or functions being imported. Some common examples of malicious libraries include “kernel32.dll” and “advapi32.dll” because they contain functions that can be used for process injection and privilege escalation.

4. Look for functions that are not typically used by legitimate programs or have suspicious names. For example, functions related to network communication or process manipulation are often used by malware.
   
5. Look for any attempts to obfuscate or hide imports, such as using dynamically loaded libraries or hashing the function names.
   
6. Cross-reference the identified imports with known malware samples or threat intelligence databases to determine if they are associated with known malicious activity.

PE Import analysis is one of the methods used in malware analysis to identify malicious code within a binary file. It involves examining the imported functions and APIs used by the binary, which can reveal potential malicious activity.

Key Notes

1. Obtain a sample of the malicious executable file. This can be done through various means, such as downloading the file from a malicious website, analyzing email attachments or using sandboxing tools.
   
2. Run the sample in a controlled environment, such as a virtual machine or sandbox, to prevent potential damage to the host system. Observe the behavior of the malware, such as whether it modifies files, creates new files, or establishes network connections.
   
3. Use static analysis techniques to examine the code of the malware. This can involve using disassemblers or decompilers to translate the binary code into readable assembly code or higher-level programming language. Look for any suspicious code, such as calls to external libraries or encrypted strings.
   
4. Use dynamic analysis techniques to monitor the behavior of the malware in real-time. This can involve running the malware in a debugger and setting breakpoints at specific points in the code. This can help identify any network connections or calls to system functions.
   
5. Identify the attack vector that was used to deliver the malware to the victim. This can involve analyzing email headers or network traffic logs to determine the source of the malware.

6. Take appropriate actions to contain and remove the malware. This may involve isolating the infected system, deleting infected files, or blocking network traffic to malicious domains.
   
7. Analyze the data collected during the analysis to identify potential indicators of compromise (IoCs). This can involve analyzing network traffic logs, examining system logs, or using threat intelligence feeds to identify any known malicious domains or IP addresses.

8. Share the findings with relevant stakeholders, such as incident response teams or law enforcement agencies, to assist with their investigations.

Resources

• https://otx.alienvault.com/pulse/63f678b56b50c0f7a4720626?utm_userid=white2013&utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed