PipeMagic Trojan Exploits Fake ChatGPT App to Target Saudi Arabian Organizations
Kaspersky’s Global Research and Analysis Team (GReAT) has disclosed a new campaign distributing the PipeMagic Trojan, a sophisticated backdoor with evolving capabilities. This campaign, which marks an expansion of the malware’s geographic targeting from Asia to Saudi Arabia, utilizes a deceptive ChatGPT application as the initial infection vector.
“Cybercriminals are constantly evolving their strategies to reach more prolific victims and broaden their presence, as demonstrated by the PipeMagic Trojan’s recent expansion from Asia to Saudi Arabia,” states Sergey Lozhkin, Principal Security Researcher at Kaspersky’s GReAT. “Given its capabilities, we expect to see an increase in attacks leveraging this backdoor.”
A blank screen displayed by fake application | Image: Kaspersky
The lure, a fake ChatGPT application developed in Rust, leverages common Rust libraries to evade initial detection. However, upon execution, the application presents a blank screen while concealing a 105,615-byte encrypted data array containing the malicious payload.
In the subsequent stage, the malware employs a name hashing algorithm to locate key Windows API functions, enabling it to allocate memory, load the PipeMagic backdoor, configure settings, and initiate the malware.
PipeMagic exhibits distinctive characteristics, including the generation of a 16-byte random array used to establish a named pipe for covert communication and command execution. This pipe facilitates the retrieval of encoded payloads and stop signals from a command-and-control (C2) server, which in this instance, was identified as being hosted on Microsoft Azure.
