Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
The outwardly legitimate application hides a dangerous backdoor that steals data.
First seen attacking Asian companies in 2022, the PipeMagic Trojan is now targeting organizations in Saudi Arabia. In September 2024, Kaspersky GReAT specialists recorded a new wave of malware activity. a backdoor capable of stealing sensitive data and providing remote access to compromised devices is being introduced into corporate networks under the guise of the ChatGPT application.
Cyberattacks in the new wave use a fake ChatGPT application written in the Rust programming language. Externally, the application looks legitimate and contains several standard Rust libraries often used in software development. However, when the application is launched, a blank screen appears, behind which an array of encrypted data of 105,615 bytes is hidden. It is in this encrypted block that the malware is located. It searches for key features of the Windows API by looking for matching memory offsets using a name hashing algorithm, and then loads the backdoor, configures the necessary parameters, and runs it.
Attackers continue to improve their methods and expand the geography of attacks. PipeMagic's campaign shows the expansion of the Trojan's activities from Asia to Saudi Arabia. Experts warn that the number of attacks using this backdoor is likely to increase in the near future.
Source
First seen attacking Asian companies in 2022, the PipeMagic Trojan is now targeting organizations in Saudi Arabia. In September 2024, Kaspersky GReAT specialists recorded a new wave of malware activity. a backdoor capable of stealing sensitive data and providing remote access to compromised devices is being introduced into corporate networks under the guise of the ChatGPT application.
Cyberattacks in the new wave use a fake ChatGPT application written in the Rust programming language. Externally, the application looks legitimate and contains several standard Rust libraries often used in software development. However, when the application is launched, a blank screen appears, behind which an array of encrypted data of 105,615 bytes is hidden. It is in this encrypted block that the malware is located. It searches for key features of the Windows API by looking for matching memory offsets using a name hashing algorithm, and then loads the backdoor, configures the necessary parameters, and runs it.
Attackers continue to improve their methods and expand the geography of attacks. PipeMagic's campaign shows the expansion of the Trojan's activities from Asia to Saudi Arabia. Experts warn that the number of attacks using this backdoor is likely to increase in the near future.
Source
