Malware disguised as ChatGPT apps are being used to lure victims, Meta says

Facebook’s parent company, Meta, has issued a warning that hackers are taking advantage of people’s interest in ChatGP and other generative AI applications to trick them into installing malware that pretends to provide AI functionality.  

Since March, Meta has discovered about 10 malware families using AI themes to compromise business accounts across the internet — including social media business accounts — and blocked over 1,000 unique ChatGPT-themed malicious URLs from being shared on its platforms.

“Over the past several months, we’ve investigated and taken action against malware strains taking advantage of people’s interest in OpenAI’s ChatGPT to trick them into installing malware pretending to provide AI functionality,” Meta said in a blog. 

Meta detected malware strains such as DuckTail and NodeStealer in ChatGPT browser plugins and productivity tools, attributing to Vietnam-based hackers.

DuckTail steals browser cookies

One of the malware strains that has increasingly been targeting victims using AI-themed lures is DuckTail. DuckTail steals browser cookies and hijacks Facebook sessions to retrieve victims’ account information such as location data and two-factor authentication codes. Threat actors use the malware strain to hijack Facebook business accounts that the victim has access to, in order to gain access to Facebook ad accounts. 

“In its latest iteration, DuckTail operators, likely in response to our round-the-clock detection terminating stolen sessions, began automatically granting business admin permissions to requests for ad-related actions sent by attackers as an attempt to speed up their operations before we block them,” Meta said. 

DuckTail is known to target a number of platforms, previously including LinkedIn, using social engineering techniques to trick people into downloading malware. The malware strain, once downloaded, can gain access to users’ information via browsers including Google Chrome, Microsoft Edge, Brave, and Firefox. It uses file-hosting and sharing services such as Dropbox and Mega to host malware.

Meta has issued cease-and-desist letters to the individuals behind the operation and notified law enforcement.

NodeStealer targets Windows browsers

In January, Meta discovered that the Nodestealer malware strain was targeting Windows-based browsers with the goal of stealing cookies and saved login details such as usernames and passwords to compromise the Facebook, Gmail, and Microsoft Outlook accounts of victims. 

“NodeStealer is custom written in JavaScript and bundles the Node.js environment. We assessed the malware to be of Vietnamese origin and distributed by threat actors from Vietnam,” Meta said. 

Meta identified Nodestealer within two weeks of it being deployed and took action to disrupt it and help users who may have been targeted recover their accounts. The company also submitted takedown requests with domain registrars and hosting providers, which the threat actors targeted to facilitate the distribution of the malware. 

“These actions led to a successful disruption of the malware. We have not observed any new samples of malware in the NodeStealer family since February 27 of this year and continue monitoring for any potential future activity,” Meta said.

New security feature for business accounts

As a response to the new malware strains that specifically target Facebook business accounts, the company also launched new security features for the accounts. 

The company introduced a new support tool that guides users step-by-step to identify and remove malware. There are also new controls for business accounts to help them manage, audit, and limit who can become an account administrator. 

The company will also be launching Facebook at-Work accounts, through which a business account can be operated without requiring a personal account. This is likely to be launched later this year.