Kaspersky Uncovers PipeMagic Backdoor Exploiting Fake ChatGPT App To Attack Businesses

Kaspersky’s Global Research and Analysis Team (GReAT) has recently discovered a new malicious campaign involving the PipeMagic Trojan, which has shifted from targeting entities in Asia to expanding its reach to organizations in Saudi Arabia. The attackers are using a fake ChatGPT application as bait, deploying a backdoor that both extracts sensitive data and enables full remote access to compromised devices. The malware also operates as a gateway, enabling the introduction of additional malware and the launch of further attacks across corporate network. 

Kaspersky initially discovered PipeMagic backdoor in 2022, this plugin-based trojan was targeting entities in Asia at that time. The malware is capable of functioning as both a backdoor and a gateway. In September 2024, Kaspersky’s GReAT observed a resurgence of PipeMagic, this time targeting organizations in Saudi Arabia.

This version uses a fake ChatGPT application, built with the Rust programming language. At first glance, it appears legitimate, containing several common Rust libraries used in many other Rust-based applications. However, when executed, the application displays a blank screen with no visible interface and hides a 105,615-byte array of encrypted data which is a malicious payload.

In the second stage, the malware searches for key Windows API functions, by searching the corresponding memory offsets using names hashing algorithm. It then allocates memory, loads the PipeMagic backdoor, adjusts necessary settings, and executes the malware.

One of unique features of PipeMagic is that it generates a 16-byte random array to create a named pipe in the format \\.\pipe\1.<hex string>. It spawns a thread that continuously creates this pipe, reads data from it, and then destroys it. This pipe is used for receiving encoded payloads, stop signals via the default local interface. PipeMagic usually works with multiple plugins downloaded from a command-and-control (C2) server, which, in this case, was hosted on Microsoft Azure.

“Cybercriminals are constantly evolving their strategies to reach more prolific victims and broaden their presence, as demonstrated by the PipeMagic Trojan’s recent expansion from Asia to Saudi Arabia. Given its capabilities, we expect to see an increase in attacks leveraging this backdoor,’ comments Sergey Lozhkin, Principal Security Researcher at Kaspersky’s GReAT.

Leave a Reply

Your email address will not be published. Required fields are marked *