Cybercriminals are exploiting ChatGPT’s popularity by creating a fake download site that delivers malware to Windows and macOS users, as reported by Cyber Security News. This malicious campaign uses sponsored search results to lure individuals seeking legitimate AI tools.
The fraudulent website, openew[.]app, closely mimics OpenAI’s branding, offering download options for Windows, macOS, and a Chrome extension. While the Chrome extension redirects to a legitimate source, the Windows and macOS installers contain trojanized payloads.
The Windows installer, named Chat_GPT.exe, utilizes an Inno Setup installer to deploy an Electron-based application. Despite its legitimate appearance, inconsistencies such as mismatched metadata and a code-signing certificate issued to an unrelated entity raise red flags.
Static analysis reveals that the application bundles a Chromium-based runtime with an obfuscated JavaScript payload. The script, identified as winter.js, employs heavily obfuscated logic, making analysis challenging. The malware includes Node.js modules like child_process, fs, and systeminformation, indicating capabilities for system reconnaissance, file manipulation, and command execution.
Dynamic analysis shows the malware uses CAPTCHA-based gating to evade automated detection. Upon CAPTCHA completion, it spawns multiple PowerShell processes with execution flags suggesting staged payload delivery. The malware creates a Chromium-style profile in `%AppData%\Satoshi` to maintain persistence and store data such as cookies and cache files.
Notably, the embedded network configurations reference legitimate DNS-over-HTTPS services like Cloudflare and Google, blending malicious traffic into normal encrypted DNS traffic to obscure command-and-control communications.
This incident underscores the importance of downloading software exclusively from official sources. Users should remain vigilant against sponsored search results and verify the authenticity of download sites to protect their systems from malware.
Source: Cyber Security News
