ESET Threat Report: ChatGPT Call Abuses, Lumma Thief Malware Increases, Android SpinOk SDK Spyware’s Occurrence


Threat mitigation tips are provided for each of these cybersecurity risks.

Cybersecurity company ESET launched its H2 2023 threat report, and we’re highlighting three particularly intriguing topics in it: the abuse of the ChatGPT name by cybercriminals, the rise of the Lumma Thief malware and the Android SpinOk SDK spyware.

Jump to:

ChatGPT name is being abused by cybercriminals

In the 2nd half of 2023, ESET has blocked 650,000 attempts to gain access to malicious domains whose names include “chatgpt” or comparable string in an apparent reference to the ChatGPT chatbot.

One of the scams resides in the OpenAI API for ChatGPT. The API requires a personal API secret that need to be carefully protected and never ever exposed by users, yet some apps ask users to offer their API secrets so the applications can use ChatGPT. As composed by ESET scientists, “if the app sends your key to the designer’s server, there might be little to no warranty that your secret will not be leaked or misused, even if the call to the OpenAI API is also made.”

A “ChatGPT Next Web” web application taken as an example by ESET has actually been installed on 7,000 servers. It is unidentified if this app was developed as an effort in a ChatGPT API secrets phishing project or exposed on the internet for another factor.

Using the API secret is billed by OpenAI. So once in belongings of somebody’s personal API secret and depending on the users or company’s membership, an opponent might use it for their own requirements without paying; the assaulter might likewise resell it to other cybercriminals.

In addition, the 2nd half of 2023 saw a lot of ChatGPT-inspired domain names all leading to harmful Google Chrome web browser extensions discovered as “JS/Chromex. Agent.BZ”. One example is gptforchrome(.)com, causing such a destructive extension (Figure A).

Figure A

Malicious Chrome extension detected as JS/Chromex.Agent.BZ. Harmful Chrome extension identified as JS/Chromex. Agent.BZ. Image: ESET Recommendations related to these ChatGPT security risks

Users ought to be educated to identify such dangers and avoid searching suspicious websites related to ChatGPT. They need to secure their private ChatGPT API key and never ever share it.

Lumma Stealer malware-as-a-service is going strong

In H2 2023, malicious cryptominers declined by 21% in the cryptocurrencies malware hazard landscape, according to ESET; however, cryptostealers are on the increase by more than 68% for the same period, composed the researchers.

Must-read security protection

This strong augmentation was triggered by a single particular risk: Lumma Thief, which is also known as LummaC2 Stealer. This malware-as-a-service threat targets multiple cryptocurrency wallets as well as users’ qualifications and two-factor authentication browser extensions. It likewise has exfiltration abilities, rendering it a tool that might be utilized for financial scams along with for cyberespionage purposes.

According to ESET, the release of Lumma Stealer tripled in between H1 and H2 2023. Numerous tiers are offered for the malware with rates ranging from $250 USD to $20,000 USD. The greatest choice enables the purchaser to get access to the complete C source code for the malware. The purchaser is also enabled to resell the malware separately of its developer.

The Lumma Thief malware shares a typical code base with the infamous Mars, Arkei, and Vidar information stealers and is most likely to be developed by the exact same author, according to cybersecurity business Sekoia.

Numerous distribution vectors are used for spreading out Lumma Stealer; ESET observed these approaches in the wild: broken installations of software application, YouTube, fake browser update projects, content delivery network of Discord and installation via third-party malware loader Win/TrojanDownloader. Rugmi.

Tips for securing versus such malware threats

It is extremely advised to constantly keep running systems and their software application as much as date and patched to prevent being compromised by any common vulnerability that could cause malware infection. And, users should never be enabled to download and install software application without appropriate analysis from the organization’s IT team.

Android SpinOk SDK is a spyware standout

A mobile marketing software application development package identified as the SpinOk spyware by ESET reached being the seventh most detected Android danger for H2 2023 and the most widespread kind of spyware for the duration.

The SpinOk SDK offered designers a video gaming platform planned to monetize application traffic. Multiple developers incorporated the SDK in their apps, consisting of apps currently offered on official Android marketplaces. When running, the application begins to act as spyware and connects to a command & control server before starting to extract data from the Android device, consisting of possibly delicate clipboard content, according to ESET.

The malicious code has features to try to remain unnoticed. It utilizes the gadget’s gyroscope and magnetometer to figure out if it is running in a virtual or lab environment; if so, it changes its behavior in an attempt to prevent being detected by researchers.

The SDK has been integrated into different genuine Android applications. In reality, 101 Android apps have utilized the destructive SDK, with more than 421 million cumulated downloads, as reported in Might 2023 by cybersecurity business Doctor Web, who got in touch with Google; then, Google got rid of all those applications from the Google Play Store. The company responsible for SpinOk called Doctor Web and updated its module to variation 2.4.2, which removed all the spyware features.

A company called Roaster Earn described how they ended up installing the SDK in their own application. Essentially, they have actually been approached by the OkSpin business responsible for the SpinOk SDK with a “income development program,” which they accepted, before Google informed them of their app elimination since it contained spyware. This case as soon as is as soon as again a reminder of the complex problem of including third-party code in software application that is significantly abused by cybercriminals.

How to alleviate the danger of utilizing third-party code in software

  • Evaluate the third-party code for any abnormalities, when possible. This may help to prevent falling for code containing destructive material or functionalities.
  • Use fixed analysis tools to identify prospective vulnerabilities or habits.
  • Display network traffic for any suspicious or unexpected traffic.
  • Scrutinize the reputation of the code supplier and feedback about the company, as well as security certifications or audits the provider might share.

Disclosure: I work for Trend Micro, but the views expressed in this post are mine.


Leave a Reply

Your email address will not be published. Required fields are marked *