It has been discovered that an infostealer is mimicking a ChatGPT Windows desktop client that has the capabilities of copying saved credentials from the Google Chrome login data folder.
When users attempt to download and install the fake ChatGPT Windows client it is an infostealer that is being distributed via a zip archive disguising itself as ChatGPT for Windows Setup 1.0.0.exe.
The client connects to various domains such as http://api.telegram.org, http://facebook.com, http://lumtest.com (for querying geoIP location), http://graph.facebook.com (for getting data into and out of the Facebook platform), and http://api.aiforopen.com. The extracted data is then exfiltrated via the multi-platform messaging service known as Telegram.
Users have expressed great interest in a ChatGPT application for both desktops and mobile devices. Cyber criminals have taken this opportunity to deliver different types of malwares such as malicious payloads to hijack and control Facebook Business accounts.
It is advised to avoid downloading from untrusted or unauthorized sources. ChatGPT does not have an official desktop client or mobile application thus such claims must be treated with caution.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Fake ChatGPT Desktop Client steals Chrome Login Data.pdf
Labus, H. (2023, May 2). Fake ChatGPT desktop client steals Chrome login data. Help Net Security. Retrieved from: https://www.helpnetsecurity.com/2023/05/02/chatgpt-infostealer/?web_view=true
npm: havelock. (n.d.). Npm. https://www.npmjs.com/package/havelock