A naukri.com initiative
Cloudblog
1w
213
Image Credit: Cloudblog
Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
- Mandiant Threat Defense has been investigating an UNC6032 campaign since November 2024 that exploits the interest in AI tools, using fake 'AI video generator' websites to distribute malware like infostealers and backdoors.
- The campaign leads victims to fake websites through malicious social media ads resembling legitimate AI tools, impacting millions of users across platforms like Facebook and LinkedIn.
- UNC6032 compromises have resulted in the exfiltration of sensitive data like login credentials, cookies, and credit card information through the Telegram API.
- Meta has actively hunted threats in collaboration with Mandiant, detecting and removing malicious content even before being alerted by Mandiant.
- The cybercriminals behind this campaign rotate domains constantly and create short-lived ads to evade detection and bans.
- One fake website investigated, Luma AI, follows a multi-step process that tricks users into downloading malware disguised as video generation files.
- The malware, named STARKVEIL, drops multiple modular families designed for information theft, with fail-safe mechanisms to persist even if some payloads are blocked.
- Another backdoor named XWORM communicates over TCP and supports various commands for further compromise, including keylogging and executing commands.
- A third backdoor, FROSTRIFT, focuses on collecting system information and interacting with a C2 server using GZIP-compressed protobuf messages over TCP/SSL.
- The article provides detailed malware configurations, persistence methods, host reconnaissance techniques, and commands supported by the malware strains observed in this campaign.
Read Full Article
12 Likes
For uninterrupted reading, download the app