Fakegpt

Source	Type	Category	Difficulty
Cyberdefenders	Lab	Malware analysis	Easy

Scenario
#

Your cybersecurity team has been alerted to suspicious activity on your organization’s network. Several employees reported unusual behavior in their browsers after installing what they believed to be a helpful browser extension named “ChatGPT”. However, strange things started happening: accounts were being compromised, and sensitive information appeared to be leaking.

Your task is to perform a thorough analysis of this extension identify its malicious components 🚀.

Q1 : Which encoding method does the browser extension use to obscure target URLs, making them more difficult to detect during analysis?
#

I look at the code provided in the challenge. In the app.js file, I see the targets variable is encoded in Base64.

Q2 : Which website does the extension monitor for data theft, targeting user accounts to steal sensitive information?
#

echo "d3d3LmZhY2Vib29rLmNvbQ==" | base64 -d

www.facebook.com 

Q3 : Which type of HTML element is utilized by the extension to send stolen data?
#

In the sendtoServer function, I see the encrytped data is send using the img element.

Q4 : What is the first specific condition in the code that triggers the extension to deactivate itself?
#

In the loader.js file, I see the comment of the developper that this code will nto execute if it is in a virtual environnement. The first condition is navigator.plugins.length === 0

Q5 : Which event does the extension capture to track user input submitted through forms?
#

THe submit event is captured using document.addEventListener('submit', function(event)

Q6 : Which API or method does the extension use to capture and monitor user keystrokes?
#

keydown in document.addEventListener('keydown', function(event)

Q7 : What is the domain where the extension transmits the exfiltrated data?
#

The domain Mo.Elshaheedy[.]com, found in this function

Q8 : Which function in the code is used to exfiltrate user credentials, including the username and password?
#

function exfiltrateCredentials(username, password)

Q9 : Which encryption algorithm is applied to secure the data before sending?
#

I find this info in the encryptPayload function

Q10 : What does the extension access to store or manipulate session-related data and authentication information?
#

I find this info in manifest.json file : the malware needs to access cookies

"permissions": [
    "tabs",
    "http://*/*",
    "https://*/*",
    "storage",
    "webRequest",
    "webRequestBlocking",
    "cookies" ]

Author

Bertrand Martin

Cyberdefense engineer

Scenario #

Q1 : Which encoding method does the browser extension use to obscure target URLs, making them more difficult to detect during analysis? #

Q2 : Which website does the extension monitor for data theft, targeting user accounts to steal sensitive information? #

Q3 : Which type of HTML element is utilized by the extension to send stolen data? #

Q4 : What is the first specific condition in the code that triggers the extension to deactivate itself? #

Q5 : Which event does the extension capture to track user input submitted through forms? #

Q6 : Which API or method does the extension use to capture and monitor user keystrokes? #

Q7 : What is the domain where the extension transmits the exfiltrated data? #

Q8 : Which function in the code is used to exfiltrate user credentials, including the username and password? #

Q9 : Which encryption algorithm is applied to secure the data before sending? #

Q10 : What does the extension access to store or manipulate session-related data and authentication information? #