FraudGPT: Rise of a New AI-Driven Malicious Chatbot

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

A new AI generative tool ‘’’FraudGPT’’ is being advertised across dark web marketplaces and Telegram channels since July 22, 2023.

The new malware discovered by security researchers at Netenrich is reportedly designed to help cybercriminals in their malicious activities. Although the specific large language model (LLM) used to develop the tool is currently unknown. It is cleverly designed to help attackers craft spear phishing emails and pages, write malicious codes, create undetectable malware, find vulnerable markets and websites, and offer tutorials on hacking.

‘’If you’re looking for a ChatGPT alternative designed to provide a wide range of exclusive tools, features and capabilities tailored to anyone’s individual needs with no boundaries then look no further,’’ advertised the attacker on Telegram.

The threat actor identified by the cybersecurity company was earlier seen as an established vendor on various dark web marketplaces, like EMPIRE, WHM, VERSUS, TORREZ, WORLD, and ALPHABAY. However, to avoid the problems associated with such marketplace exit scams, the vendor established his presence on Telegram to offer his uninterrupted services.

Netenrich investigation revealed that FraudGPT is being offered as a subscription service, starting from $200 a month, or $1,000 for six months, or $1,700 per year. The tool also boasts confirmed sales and reviews of more than 3,000.

According to security experts, release of AI generative tools like FraudGPT and WormGPT is a rising concern for governments and organizations across the world. These malicious alternatives to ChatGPT can be a powerful tool in the hands of expert criminals and tech novices looking to target individuals and organizations for espionage or financial gains.

To detect and combat such AI-enabled phishing, it is essential that organizations offer advanced security awareness as well as phishing behavior change training across various departments.

‘’Implementing a defense-in-depth strategy with all the security telemetry available for fast analytics has become all the more essential to finding these fast-moving threats before a phishing email can turn into ransomware or data exfiltration,’’ noted the advisory.

SafeChat Spyware Compromises Android Libraries to Exfiltrate Sensitive User Data

• Written by Shipra Sanganeria Cybersecurity & Tech Writer

An Android spyware known as SafeChat designed specifically to target users in the South Asia region was recently discovered by security researchers at CYFIRMA .

The Singapore-based cybersecurity company in an advisory revealed that the dubious Android chatting app is the creation of the Indian Advanced Persistent Threat (APT) group ‘’Bahamut’’. Active since 2017, the hacking group is known to employ espionage and phishing campaigns via malicious Android and iOS applications.

Initially named Coverlm, the spyware has the ability to interact with and steal data from other already installed messenger applications like Telegram, Signal, Facebook Messenger, etc. Moreover, it can also exploit Android libraries to steal contacts, call logs, device details, keystrokes, GPS location, and interpret texts from victims’ mobile devices.

Social engineering tactic details of the attack were not revealed by CYFIRMA; however, the advisory revealed that the spear phishing campaign typically begins with the spyware being directly delivered to the unsuspecting victim through WhatsApp.

The payload SafeChat disguised as an authentic chatting application deceives the target into installing the app under the guise of moving onto a more secure messaging platform. To add credibility, the cleverly designed interface takes the victim through an apparent legitimate registration process.

It also requires the user to grant various permissions that are later abused by the attacker to extract and transfer sensitive information to a command and control (C2) server. The spyware also requires the victim to approve the battery optimization service which allows the app to communicate uninterrupted with the C2 server.

The stolen data is encrypted and stored by the attacker using modules that support RSA, ECB, and OAEPPadding. In addition, a letsencrypt certificate is used to dodge any network interception methods employed against them.

CYFIRMA researchers’ analysis also revealed that the threat actors behind this campaign have ties to the Indian territory with links to a particular nation state government. Their research also revealed an association between Bahamut and the notorious APT group DoNot. Both were seen to employ similar attack techniques and tactics, use of Android malware, and a common target region.