The clever malware campaign, which offers new noodle malware, targets creators and small businesses looking to increase productivity with AI tools.
But as an extraordinary twist, threat actors aren’t disguising malware as legitimate software, but as content/output created by legitimately-looking AI tools.
AI as a social engineering lure
“As AI surges into mainstream adoption, millions of users rely on AI-powered tools every day to create content,” said Shmuel Uzan, security researcher at Morphisec.
When searching for such tools online, some of them consult with popular Facebook groups and are invited to a viral social media post and try out some of this software.
Advertising for fake AI tools (source: Morphisec)
Some users may not want to download new software, but they have nothing to upload files to web-based services and receive AI-generated content.
“When you enter a fake site, users are asked to upload images and videos, given the impression that they are using real AI to generate or edit content. At the final stage, users are instructed to download “processed” content.
Final Stage (Source: Morphisec)
Noodle malware
The victim downloads what looks like a media file, but it’s actually a zip (archive) file.
In the archive: A file that is expected (such as “Video Dream Machineai.mp4” (attackers put a lot of white people before it), so it is followed by an alarm race extension (.exe) that is difficult to find.
Running the executable will initiate a multistage malware installation chain. This ends with a fully memory-loaded noodle remote access trojump payload.
Xworm is a known threat, but noodles are being added to the malware ecosystem.
“The steeler, previously undocumented in public malware trackers and reports, combines browser credential theft, wallet removal and optional remote access deployments,” Uzan noted.
The malware communicates with the attacker and removes information via telegram bots. It is sold online as part of the Malware as a Service (MAAS) model as a Malware (MAAS) and may be distributed by a variety of threat actors.
In this particular campaign, the malicious AI tool/service is named Luma dreammachine, but a new fake tool can pop up at any time, and other similar campaigns may already be in progress.
Subscribe to our Breaking Email Alerts to ensure you never miss the latest violations, vulnerabilities, or cybersecurity threats. Subscribe here!
