Kaspersky uncovers PipeMagic backdoor attacks businesses in Saudi Arabia through fake ChatGPT application

0
63
Kaspersky uncovers PipeMagic backdoor attacks businesses in Saudi Arabia through fake ChatGPT application
Kaspersky uncovers PipeMagic backdoor attacks businesses in Saudi Arabia through fake ChatGPT application

Deploying a backdoor that both extracts sensitive data and enables full remote access to compromised devices.

October 9, 2024: Kaspersky’s Global Research and Analysis Team (GReAT) has recently discovered a new malicious campaign involving the PipeMagic Trojan, which has shifted from targeting entities in Asia to expanding its reach to organizations in Saudi Arabia. The attackers are using a fake ChatGPT application as bait, deploying a backdoor that both extracts sensitive data and enables full remote access to compromised devices. The malware also operates as a gateway, enabling the introduction of additional malware and the launch of further attacks across the corporate network.

Kaspersky initially discovered the PipeMagic backdoor in 2022; this plugin-based trojan was targeting entities in Asia at that time. The malware is capable of functioning as both a backdoor and a gateway. In September 2024, Kaspersky’s GReAT observed a resurgence of PipeMagic, this time targeting organizations in Saudi Arabia.

This version uses a fake ChatGPT application, built with the Rust programming language. At first glance, it appears legitimate, containing several common Rust libraries used in many other Rust-based applications. However, when executed, the application displays a blank screen with no visible interface and hides a 105,615-byte array of encrypted data, which is a malicious payload.

In the second stage, the malware searches for key Windows API functions by searching the corresponding memory offsets using the name hashing algorithm. It then allocates memory, loads the PipeMagic backdoor, adjusts necessary settings, and executes the malware.

One of the unique features of PipeMagic is that it generates a 16-byte random array to create a named pipe in the format \\.\pipe\1.<hex string>. It spawns a thread that continuously creates this pipe, reads data from it, and then destroys it. This pipe is used for receiving encoded payloads and stop signals via the default local interface. PipeMagic usually works with multiple plugins downloaded from a command-and-control (C2) server, which, in this case, was hosted on Microsoft Azure.

“Cybercriminals are constantly evolving their strategies to reach more prolific victims and broaden their presence, as demonstrated by the PipeMagic Trojan’s recent expansion from Asia to Saudi Arabia. Given its capabilities, we expect to see an increase in attacks leveraging this backdoor,’ comments Sergey Lozhkin, Principal Security Researcher at Kaspersky’s GReAT.

In order to avoid falling victim to a targeted attack by a known or unknown threat actor, Kaspersky researchers recommend implementing the following measures:

  • Be cautious when downloading software from the internet, especially if it’s from a third-party website. Always try to download software from the official website of the company or service that you are using.
  • Provide your SOC team with access to the latest threat intelligence (TI). Kaspersky Threat Intelligence is a single point of access for the company’s TI, providing it with cyberattack data and insights gathered by Kaspersky spanning over 20 years.
  • Upskill your cybersecurity team to tackle the latest targeted threats with Kaspersky online training developed by GReAT experts.
  • For endpoint-level detection, investigation, and timely remediation of incidents, implement EDR solutions such as Kaspersky Next.
  • In addition to adopting essential endpoint protection, implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as the Kaspersky Anti-Target Attack Platform.
  • As many targeted attacks start with phishing or other social engineering techniques, introduce security awareness training and teach practical skills to your team.
  • To gain exclusive insights into the latest APT campaigns and emerging trends in the threat landscape, register for the Security Analyst Summit here.

Also readViksit Workforce for a Viksit Bharat

Do FollowCIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter 

About us:

CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.

CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.