FraudGPT, and Other Malicious Chatbots

Summary: AI-powered chatbots have been growing ever since the release of ChatGPT. The recent release of the malicious GPT-based chatbot, WormGPT has now been superseded with the release of FraudGPT. A user named “CanadianKingpin12 ” on hacker forums posted that FraudGPT is a tool for fraudsters, hackers, and spammers. The post shows that the chatbot can be used to help create malware.

The poster of “FraudGPT” claims to be developing an AI chatbot named DarkBERT using datasets from Google’s Bard, as well as training its own version of S12W’s DarkBERT. Having access to different Large Language Models allows the attacker to create different types of malwares due to the different training provided. These in turn will produce different malicious tools and phishing pages. More importantly, these will allow malicious actors various choices to sell to other threat actors.

Why it matters: The growth of generative Artificial Intelligence (AI) has led to their usage as malicious tools. Although it is an inevitable event that two separate industries interact, it remains a worry by threat researchers that AI and Large Language models (LLM) will be used for malicious purposes. Dr. Chung, the Head of AI and the author of DarkBERT at S2W, stated that despite the posts by “CanadianKingpin12”, it is unlikely, but not impossible, for the malicious actor to successfully train a chatbot using DarkBERT due to pre-processing of data and model training. This announcement by the creator of DarkBERT indicates that the different LLM’s used by different threat actors have vastly different data sets which could provide large variations of the malware and malicious suggestions to attackers. Despite the attempts of AI researchers to prevent malicious chatbots from being created using their LLM, it is still possible for malicious actors to refine what is available to them to create new tools such as FraudGPT.

PhishForce and Facebook

Summary: Hackers have exploited a zero-day vulnerability in Salesforce’s email services to target Facebook accounts for phishing attacks. Researchers at “” have discovered that malicious actors are using Salesforce’s servers to email users using the “Meta Platforms” subject line. The email informs the user that there is suspicious activity on the account and a button is shown which is designed to steal the user’s credentials and 2FA information.

The emails sent by the malicious actors bypass the standard protective mechanisms used by email providers such as Google, which marks the email as “Important”. Links on the email redirect to a phishing Facebook support page hosted on Facebook’s gaming platform. Hosting the site on the actual Facebook website as well as setting the email as a valid Salesforce email address gives the attackers a convincing sense of legitimacy. Although Facebook now prevents accounts from using gaming pages as landing pages, legacy accounts still have access if they used the platform prior to its deprecation on July 2020.

Why it matters: Normally, anti-phishing mechanisms from Salesforce, Google, and Facebook work together as multiple controls to prevent phishing attacks from being successful. However, the Salesforce vulnerability being exploited by PhishForce tricks Salesforce servers into believing the email is legitimate, which in turn also tricks Google’s filters. The usage of Facebook’s gaming platform adds another layer to trick users into convincing them that the page is authentic as it is held in the Facebook domain. A big concern for this attack is that not only does the attack steal the user’s credentials, but also the user’s two-factor authentication (2FA) which is designed to prevent unauthorized access. Rather than use new tools, this attack exploits the webpage’s own design making it harder to detect. Attacks such as these are reminders for users to check not only URLs but the web pages for out-of-place artifacts such as a “Gaming” logo on a support page.

New LOL Opportunities

Summary: A researcher, Nir Chako, at Pentera downloaded the over 150 Windows executables listed in the LOLBAS project and discovered three new files that could be used as downloaders for third-party files. The detected files are MsoHtmEd.exe, MSPub.exe, and ProtocolHandler.exe.  Additional research revealed that the Microsoft files MSPub.exe, Outlook.exe and MSAccess.exe can download third-party payloads as well as JetBrains’s PyCharm which includes “elevator.exe”.

The researcher at Pentera developed a tool to automate the detection and verification of files’ vulnerability of LOLBAS. The Pentera researcher said “Using this automated method, we managed to find six more downloaders! All in all, we discovered nine new downloaders! That’s almost a 30% increase in the official LOLBAS downloaders list”. The automation tool created by the researcher is reportedly platform and operating system agnostic, meaning it can be run in other operating systems including virtual machines.

Why it matters: LOLBAS stands for “Living-Off-the-Land Binaries-And-Scripts” and is a technique used by hackers to infiltrate systems using only authentic and legitimate files, binaries, and scripts in the system. Using existing files helps mask the activity of threat actors due to the lack of separate malicious tools in the system. By using the built-in files, attackers can use them to download more malicious files. The research done by Nir Chako reveals that even Windows binaries and popular programs such as Outlook are vulnerable. This revelation indicates that even signed files can be used for malicious intent if a system is breached by a threat actor.

Hackers Use New Malware to Breach Air-Gapped Devices in Eastern Europe

Summary: Chinese state actors known as the cyber espionage group APT31, also known as Zirconium, have been conducting a series of stealthy attacks on industrial organizations in Eastern Europe. The attacks, first detected by cybersecurity company researchers at Kaspersky in April of the previous year, utilize a multi-stage approach and have raised significant concerns about the security of air-gapped systems. As part of the attack’s three-step approach, the initial phase deploys at least 15 different implants that belong to the “FourteenHi” malware family to infiltrate the targeted systems.

In the second stage of the attack, APT31 employs specialized malware to specifically target air-gapped systems. Using USB propagation, the hackers infect removable drives and use them as a pathway to breach the isolated networks. The third and final stage of the attack involves the use of implants that can upload the collected data to the hackers’ command and control (C2) servers. This data may contain valuable intellectual property, sensitive information, or other critical data stolen from compromised organizations.

Why it matters: Air-gapped systems are an attractive target for APT groups, who typically turn to USB drives to deliver malware and exfiltrate data from the isolated environment. To avoid detection and analysis, APT31 employed advanced tactics, such as hiding payloads and malicious code in binary data files and the memory of legitimate applications. The stolen files are archived using WinRAR (if not available, the malware exits) and then stored in temporary local folders created by the malware under “C:\ProgramData\NetWorks\.” Ultimately, the archives are exfiltrated to Dropbox.

PaperCut Critical Flaw Being Exploited by Hackers

Summary: Being tracked as CVE-2023-39143, the flaw impacts PaperCut NG/MF prior to version 22.1.3. It has been described as a combination of a path traversal and file upload vulnerability. The flaw results from a chain of two path traversal weaknesses discovered by Horizon3 security researchers that enable threat actors to read, delete, and upload arbitrary files on compromised systems following low-complexity attacks that don’t require user interaction.

While it only impacts servers in non-default configurations where the external device integration setting is toggled, Horizon3 stated: “This setting is on by default with certain installations of PaperCut, such as the PaperCut NG Commercial version or PaperCut MF. Based on sample data we have collected at Horizon3 from real-world environments, we estimate that the vast majority of PaperCut installations are running on Windows with the external device integration setting turned on.”

Why it matters: The settings that make this exploit work are enabled by default and should be patched immediately. This threat also does not require attackers to have any prior privileges to exploit, and no user interaction is required.

Admins can use the following command to check if a server is vulnerable to CVE-2023-39143 attacks and is running on Windows (a 200 response indicates the server needs patching):

curl -w “%{http_code}” -k –path-as-is “https://<IP>:<port>/custom-report-example/..\..\..\deployment\sharp\icons\home-app.png”

Admins who cannot immediately install security updates (as Horizon3 advises) can add only the IP addresses that need access to an allowlist using these instructions. A Shodan search shows that roughly 1,800 PaperCut servers are currently exposed online, although not all are vulnerable to CVE-2023-39143 attacks.

Security Tip of the Month – Chrome User Alert for Malware

Summary: Google has announced plans to add a new feature in the upcoming version of its Chrome web browser (version 117) will proactively alert users when an extension they have installed has been removed from the Chrome Web Store. As the page explains, there are three primary scenarios for such an occurrence:

  1. The developer intentionally unpublished the extension.
  2. The extension was removed due to a violation of Chrome Web Store policy.
  3. The extension was flagged as malware.

Chrome’s update aims to prioritize user safety without mistakenly affecting legitimate extensions. If an identified issue is resolved, the associated notification will be automatically removed. These safety notifications will prominently feature within the “Privacy and security” section of Chrome’s settings. Extensions that are determined to be malware will be automatically disabled.

Why it matters: Google has announced a plethora of changes coming to Chrome 117, however this is arguably the most significant update for security that Google has made to Chrome in several months. Google is known for constantly updating its browser to ensure its safety, and this change allows for users to be confident in the extensions that they download from the Chrome store are up to date. It’s important to note though extensions downloaded from third-party sites are not afforded these same protections, therefore it is imperative if users are permitted to download extensions, they be restricted to doing so only from the Chrome store, or from company-approved third-party sites.