Risk mitigation tips are provided for each of these cybersecurity threats.
Cybersecurity company ESET released its H2 2023 threat report, and we’re highlighting three particularly interesting topics in it: the abuse of the ChatGPT name by cybercriminals, the rise of the Lumma Stealer malware and the Android SpinOk SDK spyware.
ChatGPT name is being abused by cybercriminals
In the second half of 2023, ESET has blocked 650,000 attempts to access malicious domains whose names include “chatgpt” or similar string in an apparent reference to the ChatGPT chatbot.
One of the frauds resides in the OpenAI API for ChatGPT. The API needs a private API key that must be carefully protected and never exposed by users, yet some apps ask users to provide their API keys so the applications can use ChatGPT. As written by ESET researchers, “if the app sends your key to the developer’s server, there may be little to no guarantee that your key will not be leaked or misused, even if the call to the OpenAI API is also made.”
A “ChatGPT Next Web” web application taken as an example by ESET has been installed on 7,000 servers. It is unknown if this app was created as an effort in a ChatGPT API keys phishing campaign or exposed on the internet for another reason.
The use of the API key is billed by OpenAI. So once in possession of someone’s private API key and depending on the users or company’s subscription, an attacker might use it for their own needs without paying; the attacker might also resell it to other cybercriminals.
In addition, the second half of 2023 saw a lot of ChatGPT-inspired domain names all leading to malicious Google Chrome browser extensions detected as “JS/Chromex.Agent.BZ”. One example is gptforchrome(.)com, leading to such a malicious extension (Figure A).
Recommendations related to these ChatGPT security threats
Users should be educated to detect such threats and avoid browsing suspicious websites related to ChatGPT. They must secure their private ChatGPT API key and never share it.
Lumma Stealer malware-as-a-service is going strong
In H2 2023, malicious cryptominers declined by 21% in the cryptocurrencies malware threat landscape, according to ESET; however, cryptostealers are on the rise by more than 68% for the same period, wrote the researchers.
This strong augmentation was caused by a single specific threat: Lumma Stealer, which is also known as LummaC2 Stealer. This malware-as-a-service threat targets multiple cryptocurrency wallets as well as users’ credentials and two-factor authentication browser extensions. It also has exfiltration capabilities, rendering it a tool that might be used for financial fraud as well as for cyberespionage purposes.
According to ESET, the deployment of Lumma Stealer tripled between H1 and H2 2023. Multiple tiers are offered for the malware with prices ranging from $250 USD to $20,000 USD. The highest option allows the buyer to get access to the full C source code for the malware. The buyer is also allowed to resell the malware independently of its developer.
The Lumma Stealer malware shares a common code base with the infamous Mars, Arkei, and Vidar information stealers and is very likely to be developed by the same author, according to cybersecurity company Sekoia.
Various distribution vectors are used for spreading Lumma Stealer; ESET observed these methods in the wild: cracked installations of software, YouTube, fake browser update campaigns, content delivery network of Discord and installation via third-party malware loader Win/TrojanDownloader.Rugmi.
Tips for protecting against such malware threats
It is highly recommended to always keep operating systems and their software up to date and patched to avoid being compromised by any common vulnerability that could lead to malware infection. And, users should never be allowed to download and install software without proper analysis from the organization’s IT team.
Android SpinOk SDK is a spyware standout
A mobile marketing software development kit identified as the SpinOk spyware by ESET climbed to being the seventh most detected Android threat for H2 2023 and the most prevalent type of spyware for the period.
The SpinOk SDK offered developers a gaming platform intended to monetize application traffic. Multiple developers incorporated the SDK in their apps, including apps already available on official Android marketplaces. Once running, the application starts to act as spyware and connects to a command & control server before starting to extract data from the Android device, including potentially sensitive clipboard content, according to ESET.
The malicious code has features to try to stay undetected. It uses the device’s gyroscope and magnetometer to determine if it is running in a virtual or lab environment; if so, it changes its behavior in an attempt to avoid being detected by researchers.
The SDK has been incorporated into various legitimate Android applications. In fact, 101 Android apps have used the malicious SDK, with more than 421 million cumulated downloads, as reported in May 2023 by cybersecurity company Doctor Web, who contacted Google; then, Google removed all those applications from the Google Play Store. The company responsible for SpinOk contacted Doctor Web and updated its module to version 2.4.2, which removed all the spyware features.
A company called Roaster Earn explained how they ended up installing the SDK in their own application. Basically, they have been approached by the OkSpin company responsible for the SpinOk SDK with a “revenue growth program,” which they accepted, before Google notified them of their app removal because it contained spyware. This case once is once again a reminder of the complex problem of incorporating third-party code in software that is increasingly abused by cybercriminals.
How to mitigate the risk of using third-party code in software
- Analyze the third-party code for any anomalies, when possible. This might help to avoid falling for code containing malicious content or functionalities.
- Use static analysis tools to detect potential vulnerabilities or behavior.
- Monitor network traffic for any suspicious or unexpected traffic.
- Scrutinize the reputation of the code provider and feedback about the organization, as well as security certifications or audits the provider might share.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.