Fake installers of popular artificial intelligence (AI) tools such as Openai ChatGpt and Invideo AI are used as lures to propagate a variety of threats, such as Cyberlock and Lucky_Gh0 $T ransomware family.
“Cyberlock ransomware developed using Powershell primarily focuses on the encryption of specific files on the victim’s systems,” Cisco Talos researcher Chetan Raghuprasad said in a report released today. “Lucky_Gh0 $T ransomware is another variant of Yashma Ransomware, the sixth iteration of the Chaos Ransomware series, with only minor changes to the ransomware binary.”
Numero, on the other hand, is a destructive malware that affects victims by manipulating the graphical user interface (GUI) components of the Windows operating system, which prevents the machine from being used.
Cybersecurity companies say that legitimate versions of AI tools are popular in the business-to-business (B2B) sales domain and marketing sector, suggesting that individuals and organizations in these industries are the main focus of the threat actors behind the campaign.
One such fake AI solution website is “Novaleadsai[.]com, “It could be impersonating a lead monetization platform called Novaleads. The website is suspected to be promoted via Search Engine Optimization (SEO) addiction technology to artificially increase rankings in online search engines.
Users are then encouraged to download the product by claiming that they will provide free access to the tool in their first year with a monthly subscription of $95 afterwards. The one that will actually be downloaded is a zip archive containing the .NET executable (“novaleadsai.exe”) edited on February 2, 2025. The binary acts as a loader for deploying PowerShell-based cyberlock ransomware.
Ransomware is equipped to escalate privileges and rerun administrative rights even if not already, encrypting files found in partitions “C:\,” “D:\,” “E:\” that match a particular extension set. Next, drop a ransom note requesting you to put a $50,000 payment in Monero in two wallets within three days.
With an interesting twist, the threat actor continues to argue in his ransom note that payments will be allocated to support women and children in Palestine, Ukraine, Africa, Asia and other regions, “injustice is the daily reality.”
Cyberlock ransomware targeted file extensions
“Consider this amount of money being small compared to the innocent lives lost, especially those who pay the ultimate price,” the memo says. “Unfortunately, we concluded that many people do not want to act spontaneously.
The final step involves threat actors employing the living off the land binary (lolbin) “cipher.exe” with the “/w” option, using the “/w” option, to prevent forensic recovery of deleted files.
Talos also said he observed threat actors distributing Lucky_Gh0$T ransomware under the guise of a fake installer for the premium version of ChatGPT.
“The malicious SFX installer contained a folder containing the Lucky_gh0 $transomware executable with Filename’ dwn.exe mimicking the legal Microsoft Executable ‘DWM.EXE’,” Raghuprasad said. “This folder also contained legitimate Microsoft open source AI tools available in the GitHub repository, especially for developers and data scientists using AI within the Azure ecosystem.”
If the victim runs a malicious SFX installer file, the SFX script runs a ransomware payload. Yashma ransomware variant, Lucky_Gh0$T, targets files whose encryption size is less than about 1.2GB, but not before deleting volume shadow copies and backups.
The ransom note dropped at the end of the attack contains a unique personal decryption ID, which instructs the victim to reach out through the session messaging app to pay the ransom and get the decryptor.
Lastly, Threat Actors have gained an increase in the use of AI tools using AI tools, deploying the destructive malware codename numero with the counterfeit installer for Invideo AI, an AI-powered video creation platform.
The fraudulent installer acts as a dropper that contains three components: Windows batch files, Visual Basic Script, and Numero executable. When the installer starts, the batch file runs through the Windows shell in an infinite loop, running numero and temporarily halting for 60 seconds by running the VB script via CScript.
“After restarting execution, the batch file will terminate the numero malware process and restart the execution,” Talos said. “By implementing an infinite loop in a batch file, the numero malware runs continuously on the victim machine.”
Numero, a 32-bit Windows executable written in C++, will now check for the presence of malware analysis tools and debuggers between running processes, overriding the desktop window title, buttons and content with the numeric string “1234567890”. Edited on January 24th, 2025.
The disclosure comes as Google-owned Mandiant has revealed details of a fraudulent campaign in which it uses malicious ads on Facebook and LinkedIn to redirect users by impersonating legal AI video generator tools such as Luma AI, Canva Dream Lab and Kling AI.
The activity recently exposed by Morphysec and Checkpoint earlier this month comes from leading Tech’s giant truck into a threat as UNC6032, which is rated as having a Vietnamese Nexus. The campaign has been active since at least mid-2024.
This way the attack will unfold. Users who are not suspected of landing on these websites will be instructed to provide an input prompt to generate the video. However, as we have observed previously, the input is not important as the main responsibility of the website is to start downloading a Rust-based dropper payload called Starkveil.
“[STARKVEIL] Mandiant said it drops three different modular malware families designed primarily for information theft and allow plugins to be downloaded so that plugins can be downloaded.
The three malware families are:
GRIMPULL, a downloader that uses a TOR tunnel to fetch additional .NET payloads that are decrypted, decompressed, and loaded into memory as .NET assemblies FROSTRIFT, a .NET backdoor that collects system information, details about installed applications, and scans for 48 extensions related to password managers, authenticators, and cryptocurrency wallets on Chromium-based web browsers XWorm, a known Remote access Trojan (rat) with features such as .NET-based keylog, command execution, screen capture, information collection, victim notification via telegram
Starkveil also serves as a conduit for launching a Python-based Dropper CodeNamed Coilhatch that imposes actually running the three payloads mentioned above via DLL sideloads.
“These AI tools no longer target only graphic designers. Anyone can be invited to a seemingly harmless ad,” Mandiant said. “The temptation to try out the latest AI tools can lead to anyone being a victim.”
Source link
