The Information Highway

The Information Highway

Font size: +
3 minutes reading time (579 words)

Bing Chat responses infiltrated by ads pushing malware

Malicious advertisements are now being injected into Microsoft's AI-powered Bing Chat responses, promoting fake download sites that distribute malware. 

Bing Chat, powered by OpenAI's GPT-4 engine, was introduced by Microsoft in February 2023 to challenge Google's dominance in the search industry.

By offering users an interactive chat-based experience instead of the traditional search query and result format, Bing Chat aimed to make online searches more intuitive and user-friendly.

In March, Microsoft began injecting ads into Bing Chat conversations to generate revenue from this new platform.

However, incorporating ads into Bing Chat has opened the door to threat actors, who increasingly take out search advertisements to distribute malware.

Furthermore, conversing with AI-powered chat tools can instill unwarranted trust, potentially convincing users to click on ads, which isn't the case when skimming through impersonal search results.

This conversation-like interaction can imbue AI-provided URLs with a misplaced sense of authority and trustworthiness, so the existing problem of malvertizing in search platforms is amplified by the introduction of AI assistants.

The fact that these ads are labeled as promoted results when the user hovers over a link in Bing Chat conversations is likely too weak of a measure to mitigate the risk. 

Imitating a popular IP scanner

Malicious ads spotted by Malwarebytes are pretending to be download sites for the popular 'Advanced IP Scanner' utility, which has been previously used by RomCom RAT and Somnia ransomware operators.

The researchers found that when you asked Bing Chat how to download Advanced IP Scanner, it would display a link to download it in the chat.

However, when you hover over an underlined link in a chat, Bing Chat may show an advertisement first, followed by the legitimate download link. In this case, the sponsored link was a malvertisements pushing malware. 

The risky URL served in a Bing Chat conversation
Source: Malwarebytes

The malvertizing campaign was created by someone who hacked into the ad account of a legitimate Australian business to create two malicious ads targeting system admins (IP scanner) and lawyers (MyCase law manager). 

Malicious ads created by the threat actor
Source: Malwarebytes

Clicking on the malicious ad for the IP scanner takes users to a website ('mynetfoldersip[.]cfd') that separates bots and crawlers from human victims by checking IP address, timezone, and various system indicators for sandbox/virtual machines.

The victims are then redirected to 'advenced-ip-scanner[.]com', a clone of Advanced IP Scanner that uses typosquatting (notice the e in advenced) to trick visitors. 

The redirect chain (Malwarebytes)

The downloaded MSI installer contains three files, one of which is a heavily obfuscated malicious script that connects to an external resource to retrieve the payload. 

Malicious VBS in the downloaded MSI (Malwarebytes)

Unfortunately, Malwarebytes could not find the final payload for this malware campaign, so it is unclear what malware is ultimately being installed.

However, in similar campaigns, threat actors commonly distribute information-stealing malware or remote access trojans that allow them to breach other accounts or corporate networks.

The display of malvertising within Bing Chat conversations highlights the expanding frontier of cyber threats and makes it crucial for users to be wary of chatbot results and always double-check URLs before downloading anything. 

Microsoft breach led to theft of 60,000 US State D...
Cisco Catalyst SD-WAN Manager flaw allows remote s...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Thursday, 14 November 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023