www.darkreading.com Open in urlscan Pro
2606:4700::6811:7663  Public Scan

Form analysis
0 forms found in the DOM

Text Content

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

ICS/OT

Remote Workforce

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Physical Security

IoT

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat USA - August 5-10 - Learn More
   
 * Black Hat Asia - May 9-12 - Learn More
   

Webinars
 * Expert Advice for Getting the Most from Security Orchestration, Automaton &
   Response Enterprise Tools
   Apr 13, 2023
 * SBOMS and the Modern Enterprise Software Supply Chain
   Apr 18, 2023

Resources
Close
Back
Resources
Dark Reading Library >
Webinars >
Reports >
Slideshows >
White Papers >
Partner Perspectives: Microsoft
Tech Library >

Newsletter

The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

ICS/OT

Remote Workforce

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Physical Security

IoT

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat USA - August 5-10 - Learn More
   
 * Black Hat Asia - May 9-12 - Learn More
   

Webinars
 * Expert Advice for Getting the Most from Security Orchestration, Automaton &
   Response Enterprise Tools
   Apr 13, 2023
 * SBOMS and the Modern Enterprise Software Supply Chain
   Apr 18, 2023

Resources
Close
Back
Resources
Dark Reading Library >
Webinars >
Reports >
Slideshows >
White Papers >
Partner Perspectives: Microsoft
Tech Library >
The Edge
DR Tech
Sections
Close
Back
Sections
Featured Sections
The Edge
Dark Reading Technology
Attacks / Breaches

Cloud

ICS/OT

Remote Workforce

Perimeter

Analytics
Security Monitoring

Security Monitoring
App Sec
Database Security

Database Security
Risk
Compliance

Compliance
Threat Intelligence

Endpoint
AuthenticationMobile SecurityPrivacy

AuthenticationMobile SecurityPrivacy
Vulnerabilities / Threats
Advanced ThreatsInsider ThreatsVulnerability Management

Advanced ThreatsInsider ThreatsVulnerability Management
Operations
Identity & Access ManagementCareers & People

Identity & Access ManagementCareers & People
Physical Security

IoT

Black Hat news
Omdia Research
Security Now
Events
Close
Back
Events
Events
 * Black Hat USA - August 5-10 - Learn More
   
 * Black Hat Asia - May 9-12 - Learn More
   

Webinars
 * Expert Advice for Getting the Most from Security Orchestration, Automaton &
   Response Enterprise Tools
   Apr 13, 2023
 * SBOMS and the Modern Enterprise Software Supply Chain
   Apr 18, 2023

Resources
Close
Back
Resources
Dark Reading Library >
Webinars >
Reports >
Slideshows >
White Papers >
Partner Perspectives: Microsoft
Tech Library >

--------------------------------------------------------------------------------

Newsletter
SEARCH
A minimum of 3 characters are required to be typed in the search bar in order to
perform a search.




Announcements
 1. 
 2. 
 3. 

Event
How to Launch a Threat Hunting Program | Webinar <REGISTER>
Event
How to Accelerate XDR Outcomes: Bridging the Gap Between Network and Endpoint |
Webinar <REGISTER>
Report
Black Hat USA 2022 Attendee Report | Supply Chain & Cloud Security Risks Are Top
of Mind | <READ IT NOW>
PreviousNext

Attacks/Breaches

4 MIN READ

News



ATTACKERS HIDE REDLINE STEALER BEHIND CHATGPT, GOOGLE BARD FACEBOOK ADS

The campaign shrouds the commodity infostealer in OpenAI files in a play that
aims to take advantage of the growing public interest in AI-based chatbots.
Elizabeth Montalbano
Contributor, Dark Reading
April 11, 2023
Source: Greg Guy via Alamy Stock Photo
PDF


Cybercriminals are posting what appear to be legitimate sponsored ads on
hijacked Facebook business and community pages, which promise free downloads of
AI chatbots such as ChatGPT and Google Bard. Instead, users download the
well-known, info-stealing malware called RedLine Stealer, the researchers have
found.



RedLine Stealer is a malware-as-a-service (MaaS) platform sold via online hacker
forums that targets browsers to collect various data saved by the user,
including credentials and payment-card details, as well as taking a system
inventory to assess the attack surface for performing further attacks. It also
can perform other malicious functions besides just info stealing, such as
uploading and downloading files, and executing commands. This gives attackers,
even with limited sophistication, various options for performing a range of
cyberattacks, researchers at Veriti said.

They spotted the recent campaign in January, which aims to take advantage of the
growing popularity of emerging AI platforms, according to a report published
April 11. The researchers then followed the campaign through its peak in March.

"These posts are designed to appear legitimate, using the buzz around OpenAI
language models to trick unsuspecting users into downloading the files," Veriti
researchers wrote in the report. "However, once the user downloads and extracts
the file, the RedLine Stealer malware is activated and can steal passwords and
download further malware onto the user's device."



The commodity malware is an inspired choice for the campaign considering it
costs only $100 to $150 to buy it on the Dark Web, which gives attackers a
significant return on investment (ROI) for their cybercriminal activity, the
researchers said.



"In addition, by exploiting Facebook business accounts and their exposed
passwords, the attackers were able to target a vast number of users and
potentially gain access to sensitive information at a relatively low cost," the
Veriti research team tells Dark Reading.


DANGERS OF TROJANIZED AI APPS 

Soon after the AI-based chatbot ChatGPT came on the scene in November, the
chatter began about the various ways attackers can exploit it for malicious
purposes. While some believe that this threat is being overhyped, the RedLine
campaign could be a sign of more related attacks on the horizon.

Rather than taking advantage of AI-based capabilities of the chatbots
themselves, the attackers here take advantage of recent developments in the
ability to package the AI in various forms, opening the door for creating
trojanized downloads. 



"One of the most concerning risks associated with generative AI platforms is the
ability to package the AI in a file (e.g., as mobile applications or as open
source), which creates the perfect excuse for malicious actors to trick naïve
downloaders," the researchers explained. 

The attackers in this case package RedLine Stealer into an OpenAI or Google Bard
downloadable file, leading unsuspecting users to download the malware instead of
the promised AI app that lured them to click on the post, the researchers said.

"The potential impact of such attacks is significant, as hackers could steal
confidential data, compromise financial accounts, or even disrupt critical
infrastructure," they wrote in the report. "Moreover, these attacks are becoming
more sophisticated, making detecting and preventing them harder."

Dozens of Facebook business accounts in at least 10 countries already have been
hijacked for the purpose of distributing RedLine Stealer through the malicious
posts, the researchers said. Greece is the country where attackers reach the
highest number of Facebook users, followed by India, the US, Mexico, and
Bangladesh, according to the report.

However, the bulk of the campaign's "top attacks" took place in the US, where
77% of them occurred, according to the report. The country with the next-highest
percentage of top attacks was Canada, with 9%, followed by Mexico (6%), India
(4%), and Portugal (2%).


PROTECTING THE ENTERPRISE FROM MALICIOUS DOWNLOADS

Veriti recommends a "comprehensive approach to cybersecurity" that includes
educating employees on the risk of downloading and opening files from unknown
sources, alongside "robust security configurations" to help avoid compromising
enterprise systems if users inadvertently install an infostealer, such as
Redline, on a corporate desktop.

One of the first steps organizations can take is to limit the download of
executables and enforce strict policies that require sandboxing every executable
before it is downloaded, the researchers said. "This can significantly reduce
the risk of malicious files infecting a system," they tell Dark Reading.

Additionally, disabling data exfiltration can prevent attackers from stealing
sensitive information, while enabling anti-malware can detect and remove
malicious files before they can cause any damage, the researchers said.

However, researchers note that any measures to educate employees or set policies
around files downloaded from the Internet "should complement an organization's
existing cybersecurity protections, such as firewalls, intrusion detection and
prevention systems, and regular security updates."

The team adds, "Organizations can significantly reduce the likelihood of a
successful attack by implementing these best practices and educating employees
on the risks."

Vulnerabilities/ThreatsThreat Intelligence
Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.
Subscribe

More Insights
White Papers
 * 
   The Essential Guide to Secure Web Gateway
 * 
   Unit 42 Retainer

More White Papers
Webinars
 * 
   Expert Advice for Getting the Most from Security Orchestration, Automaton &
   Response Enterprise Tools
 * 
   SBOMS and the Modern Enterprise Software Supply Chain

More Webinars
Reports
 * 
   The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
 * 
   Shoring Up the Software Supply Chain Across Enterprise Applications

More Reports

Editors' Choice
Rethinking Cybersecurity's Structure & the Role of the Modern CISO
Justin Fimlaid, CEO, NuHarbor Security
Apps for Sale: Cybercriminals Sell Android Hacks for Up to $20K a Pop
Nate Nelson, Contributing Writer, Dark Reading
How Password Managers Can Get Hacked
Stu Sjouwerman, Founder & CEO, KnowBe4, Inc.
High-Stakes Ransomware Response: Know What Cards You Hold
Elizabeth Montalbano, Contributor, Dark Reading
Webinars
 * Expert Advice for Getting the Most from Security Orchestration, Automaton &
   Response Enterprise Tools
 * SBOMS and the Modern Enterprise Software Supply Chain
 * How Supply Chain Attacks Work -- And What You Can Do to Stop Them
 * How to Accelerate XDR Outcomes: Bridging the Gap Between Network and Endpoint
 * How to Launch a Threat Hunting Program

More Webinars
Reports
 * The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
 * Shoring Up the Software Supply Chain Across Enterprise Applications
 * The Promise and Reality of Cloud Security
 * 10 Hot Talks From Black Hat USA 2022
 * How Machine Learning, AI & Deep Learning Improve Cybersecurity

More Reports

White Papers
 * The Essential Guide to Secure Web Gateway
 * Unit 42 Retainer
 * Cloud Incident Response Datasheet
 * Transform Your Security Strategy
 * The CISOs Report: Perspectives, Challenges, and Plans for 2022 and Beyond

More White Papers
Events
 * Black Hat USA - August 5-10 - Learn More
 * Black Hat Asia - May 9-12 - Learn More

More Events
More Insights
White Papers
 * 
   The Essential Guide to Secure Web Gateway
 * 
   Unit 42 Retainer

More White Papers
Webinars
 * 
   Expert Advice for Getting the Most from Security Orchestration, Automaton &
   Response Enterprise Tools
 * 
   SBOMS and the Modern Enterprise Software Supply Chain

More Webinars
Reports
 * 
   The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
 * 
   Shoring Up the Software Supply Chain Across Enterprise Applications

More Reports

DISCOVER MORE FROM INFORMA TECH

 * Interop
 * InformationWeek
 * Network Computing
 * ITPro Today

 * Data Center Knowledge
 * Black Hat
 * Omdia

WORKING WITH US

 * About Us
 * Advertise
 * Reprints

FOLLOW DARK READING ON SOCIAL

 * 
 * 
 * 
 * 
 * 
 * 


 * Home
 * Cookies
 * Privacy
 * Terms



Copyright © 2023 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.





Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. By clicking "Continue" or continuing to
browse our site you are agreeing to our and our partners use of cookies. For
more information seePrivacy Policy

CONTINUE




COOKIES PREFERENCE CENTER

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Functional Cookies

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

TARGETING COOKIES

Targeting Cookies

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


BACK



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices