CTI Roundup: Hackers Use ChatGPT Lures to Spread Malware on Facebook

Up first in this week’s roundup is a look at a groundbreaking joint cybersecurity advisory on Snake malware — described as the most sophisticated cyber espionage tool ever to emerge from Center 16 of Russia’s Federal Security Service (FSB). Next, CTI breaks down a Meta report revealing an increase in malware posing as ChatGPT across its platforms. Finally, CTI investigates a Cisco Talos threat advisory detailing a new phishing-as-a-service (PhaaS) platform called Greatness targeting organizations using Microsoft 365.

1. CISA releases joint cybersecurity advisory detailing Snake malware operation

The Cybersecurity and Infrastructure Security Agency (CISA) has released a joint cybersecurity report co-authored by the DoJ, FBI, NSA, USCYBERCOM’s Cyber National Mission Force (CNMF), the UK’s National Cyber Security Centre (NCSC), Australia’s Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security, and New Zealand’s National Cyber Security Centre.

The report provides substantial background information on Snake malware, described as “the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service (FSB).”

Subsequent NSA and DoJ press releases describe the interagency efforts of the organizations listed above to identify and disrupt Snake’s operational infrastructure.

What is Snake malware?

According to BleepingComputer, Snake was initially tracked under the name Uroburos, with its development reportedly beginning as early as late 2003 and the first finalized versions of the implant finalized early the next year. Espionage attacks featuring the malware, attributed to Russian state-backed hackers, soon followed.

CISA attributes Snake’s sophistication to three principal aspects.

• Snake achieves a rare level of stealth in its host components and network communications.
• Snake’s internal technical architecture enables easy incorporation of new or replacement components. This also facilitates the development and interoperability of Snake instances running on different host operating systems. The authors have observed interoperable Snake implants designed to target Windows, MacOS, and Linux operating systems.
• Snake demonstrates careful software engineering design and implementation. The implant contains very few bugs.

Adding to the implant’s considerable effectiveness is its FSB developers’ ability to rapidly implement new features and techniques in response to open-source reporting on Snake’s tactics, techniques, and procedures (TTPs).

The authors of the joint advisory cite Snake’s continuous modifications as a recurring obstacle to the identification and collection of Snake and its related artifacts — ultimately putting a damper on any serious efforts to create reliable detections to leverage with host-and network-based defensive tools.

To create a cyberespionage implant as effective and surprisingly long-lasting as Snake depends primarily on its ability to maintain long-term stealth. Malware of this caliber is designed for espionage campaigns which involve remaining on-target, undetected for months or even years in support of providing consistent access to valuable intelligence and facilitating its collection/exfiltration.

Considering this, Snake is the “uniquely sophisticated” result of a determined FSB initiative, committed to enabling covert access to high-value targets for indefinite periods of time in support of intelligence requirements (IRs).

Who is responsible for Snake malware?

The co-authors of the joint advisory attribute Snake operations to “a known unit within Center 16 of the FSB.”

Aside from Snake, this unit reportedly boasts access to various other elements of the toolset believed to belong to the notorious Russia-backed threat group, Turla. Snake has been routinely featured in their toolset — demonstrating the implant’s considerable impact on multiple aspects of FSB’s contemporary cyber operations.

The advisory asserts that Snake has represented a core component of Center 16’s operations for nearly as long as the unit has operated under the auspices of the FSB.

Snake malware victimology

During the investigation, infrastructure related to the operation was discovered in more than 50 countries throughout North America, South America, Africa, Europe, Asia, and Australia — including the U.S. and Russia.

U.S.-based organizations across multiple verticals were impacted, including education, private business, media, and sectors designated as critical infrastructure such as government facilities, financial services, manufacturing, and communications.

From the joint advisory:

Although Snake leverages infrastructure across all industries, its targeting is purposeful and tactical in nature. For instance, if an infected system did not respond to Snake communications, the FSB actors would strategically re-infect it within days. Globally, the FSB has used Snake to collect sensitive intelligence from high priority targets, such as government networks, research facilities, and journalists.

Snake methodology

An affidavit and search warrant reveal U.S. government agencies have been monitoring Snake and Snake-related malware and operations for the better part of the last 20 years — an effort that included keeping close watch on Turla hackers as they deployed Snake from an FSB facility in Russia.

These and other joint initiatives have provided significant insight into Snake’s architecture, as well as other tools and TTPs employed during operations featuring the implant.

From the joint advisory:

The FSB typically deploys Snake to external-facing infrastructure nodes on a network, and from there uses other tools and TTPs on the internal network to conduct additional exploitation operations. Upon gaining and cementing ingress into a target network, the FSB typically enumerates the network and works to obtain administrator credentials and access domain controllers. A wide array of mechanisms has been employed to gather user and administrator credentials in order to expand laterally across the network, to include keyloggers, network sniffers, and open-source tools.

Operations are enabled by FSB hackers who carry out prior network reconnaissance — mapping out networks and obtaining the necessary credentials for the targets’ domains.

Snake is so effective as an intelligence collection tool that it was rare for its operators to employ additional, “heavyweight” implants; instead, they relied primarily on lightweight internal remote-access tools and the occasional small, remote reverse shell to facilitate Snake’s interactive functions.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“If nothing else, the revelations contained in the joint advisory and the various press releases covering the takedown of Snake’s global malware infrastructure at the hands of a team of multi-national cybersecurity and law enforcement agencies serve as a stark reminder of two things:

• First, Russia’s state-sponsored hackers and malware developers operate on a level rivaling many of the top software producers operating today. This is evident in Snake’s complexity, longevity, and supreme effectiveness.
• Second, it’s clear that the U.S. intelligence community is taking a more aggressive stance towards cybercriminals (state-backed or otherwise) operating from foreign soil.”

2. Hackers use ChatGPT lures to spread malware on Facebook

Facebook’s parent company Meta is observing an increase in malware posing as ChatGPT across its platforms.

Since March 2023, Meta’s security team has uncovered 10 malware families using ChatGPT and other AI-related themes to deliver malware. These malware families include Ducktail and

NodeStealer and target victims via malicious browser extensions, ads, and various social media platforms.

Here are some key takeaways:

• Over the past few months, Meta investigated and took action against multiple malware strains that were taking advantage of the population’s interest in ChatGPT and AI-related functionality. The latest attempts observed by Meta targeted more than just Facebook and included file-sharing services like Dropbox, Google Drive, Mega, MediaFire, Discord, Atlassian’s Trello, OneDrive, and iCloud to host malware.
• In one instance observed by Meta, the threat actor created malicious browser extensions that were made available in official web stores that claimed to offer ChatGPT-based tools. These browser extensions were then promoted on social media sites and through sponsored search results to trick victims into downloading malware.
• In some cases, the extensions included legitimate ChatGPT functionality along with the malware. In response to this, Meta has blocked 1,000+ unique ChatGPT-themed malicious URLs from being shared across their platforms.

What is Ducktail malware?

Ducktail malware has been around for quite some time and is designed to steal browser cookies and take advantage of unauthenticated Facebook sessions. It also targets LinkedIn to socially engineer victims into downloading malware and leverages file hosting services to host its malware.

Meta has been tracking and blocking various iterations of Ducktail throughout the years. In the latest iteration, Ducktail operators began automatically granting business admin permissions to requests for ad-related actions sent by attackers as an attempt to speed up their operations.

What is the NodeStealer malware strain?

Meta recently discovered and disrupted a new novel malware strain known as NodeStealer. In January 2023, its security team observed the malware targeting internet browsers on Windows devices, with the goal being to steal cookies and saved usernames/passwords. NodeStealer is a custom JavaScript malware that is believed to be of Vietnamese origin.

Meta took action to disrupt NodeStealer, supposedly within two weeks of it being deployed. They submitted multiple takedown requests to third-party registrars, hosting providers, and application services that were targeted by these threat actors. According to Meta, these actions resulted in the successful disruption of the malware.

NodeStealer is typically delivered as a disguised PDF or Excel file with the appropriate legitimate icon and filename to trick people into opening the malicious file.
Its goal is to steal stored passwords and cookie session information from Chromium-based browsers. The malware targets Chrome, Opera, Microsoft Edge, and Brave browsers for this information.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“The public’s interest in ChatGPT and AI-related technologies continues to grow, making it only fitting that threat actors are working hard to take advantage of this growing interest.”

“Meta claims to have disrupted the NodeStealer malware family, and, while this is certainly a positive, it’s only a matter of time until the next ChatGPT-related cyberactivity comes along.”

3. New phishing-as-a-service tool appears in the wild

Cisco Talos has released a threat advisory detailing a new phishing-as-a-service (PhaaS) platform called Greatness.

This platform has been observed targeting organizations using Microsoft 365, with many victims located in the U.S. The service includes features that pre-fill the victim’s email address and automatically display the appropriate company logo and background image that is extracted from the organization’s real Microsoft 365 login page.

The phishing kit works together with the Greatness API to request information from the victim and attempts to login to the legitimate Microsoft 365 page in real time.

What is the Greatness PhaaS platform?

Greatness has been observed in multiple different phishing campaigns since at least mid-2022, with spikes seen in December 2022 and March 2023. It incorporates features similar to those seen in some of the more advanced PhaaS offerings, including MFA bypass, IP filtering, and integration with Telegram bots.

Right now, the tool is focused on Microsoft 365 pages and provides its affiliates with an attachment and link builder to create highly convincing login pages. As noted previously, it is capable of pre-filling the victim’s email address and automatically displaying the appropriate company logo and background image, which they have extracted from the legitimate login page. This makes Greatness attractive to threat actors looking to phish business users.

Affiliates using Greatness must deploy and configure a provided phishing kit with an API key, which allows even unskilled threat actors to take advantage of the service. The phishing kit and API work as a proxy to the Microsoft 365 authentication system, performing a man-in-the-middle attack to steal the victim’s authentication credentials or cookies.

The Greatness PhaaS consists of three components including a phishing kit containing the admin panel, the service API and a Telegram bot or email address.

Activity and victimology

• Greatness appears to have made its debut in mid-2022 with spikes in December 2022 and March 2023, according to the number of attachment samples available on VirusTotal.
• Each observed campaign has a slightly different geographic focus. However, over 50% of all targets were based in the U.S.
• Greatness is designed to compromise Microsoft 365 users, making its potential victim pool very large. Based on the research done by Cisco Talos, the manufacturing, healthcare, and technology sectors were most targeted by Greatness.

A look at the Greatness attack flow

The attack flow of a campaign involving Greatness begins when a victim receives a malicious email. These emails typically contain an HTML file as an attachment and lure the victim into opening it.

When the victim opens the HTML file, the web browser will execute a short piece of obfuscated JavaScript code to establish a connection to the attacker’s server. This connection allows Greatness to obtain the phishing page HTML code and display it to the user in the same browser window. The code contains a blurred image and a spinning wheel, giving the impression that the document is being loaded. The page will redirect the victim to a Microsoft 365 login page that is pre-filled with the victim’s email address and the corresponding custom background/logo used by their company.

After the victim submits their password, Greatness attempts to login to Microsoft 365 with the victim’s credentials. If the victim has MFA enabled, the service will prompt the victim to authenticate.

When the service receives the MFA request, it continues to impersonate the victim behind the scenes, completing the login process and collecting the authenticated session cookies. This is then delivered to the service affiliate on their Telegram channel or directly through the web panel.

Analyst comments from Tanium’s Cyber Threat Intelligence Team

“What’s most interesting about the Greatness PhaaS is that it does not end with just the stealing of credentials like traditional phishing. Greatness submits the stolen credentials to the legitimate Microsoft login page in real time, giving the threat actor immediate access to the victim’s account.”

“There’s not too much information available yet as to what the Greatness email lures look like, but CTI will provide updates as more information comes to light.”

---

Do you have insight these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.