FlagThis

A Vietnam-based cybercriminal group, identified as UNC6032, is exploiting the public's fascination with AI to distribute malware. The group has been actively using malicious advertisements on platforms like Facebook and LinkedIn since mid-2024, luring users with promises of access to popular prompt-to-video AI generation tools such as Luma AI, Canva Dream Lab, and Kling AI. These ads direct victims to fake websites mimicking legitimate dashboards, where they are tricked into downloading ZIP files containing infostealers and backdoors.

The multi-stage attack involves sophisticated social engineering techniques. The initial ZIP file contains an executable disguised as a harmless video file using Braille characters to hide the ".exe" extension. Once executed, this binary, named STARKVEIL and written in Rust, unpacks legitimate binaries and malicious DLLs to the "C:\winsystem\" folder. It then prompts the user to re-launch the program after displaying a fake error message. On the second run, STARKVEIL deploys a Python loader called COILHATCH, which decrypts and side-loads further malicious payloads.

This campaign has impacted a wide range of industries and geographic areas, with the United States being the most frequently targeted. The malware steals sensitive data, including login credentials, cookies, credit card information, and Facebook data, and establishes persistent access to compromised systems. UNC6032 constantly refreshes domains to evade detection, and while Meta has removed many of these malicious ads, users are urged to exercise caution and verify the legitimacy of AI tools before using them.


References :

• Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
• The Register - Security: GO The Register reports that miscreants are using text-to-AI-video tools and Facebook ads to distribute malware and steal credentials.
• PCMag UK security: Warning AI-Generated TikTok Videos Want to Trick You Into Installing Malware
• Threats | CyberScoop: Mandiant flags fake AI video generators laced with malware
• cloud.google.com: Google's Threat Intelligence Unit, Mandiant, reported that social media platforms are being used to distribute malware-laden ads impersonating legitimate AI video generator tools.
• Malwarebytes: Fake AI video generator tools lure in Facebook and LinkedIn users to deliver malware
• hackread.com: Fake AI Video Tool Ads on Facebook, LinkedIn Spread Infostealers
• www.techradar.com: Millions of users could fall for fake Facebook ad for a text-to-AI-video tool that is just malware
• CyberInsider: CyberInsider: Cybercriminals Use Fake AI Video Tools to Deliver Infostealers
• Metacurity: Metacurity for a concise rundown of the most critical developments you should know, including UNC6032 uses prompt-to-video AI tools to lure malware victims
• PCMag UK security: Cybercriminals have been posting Facebook ads for fake AI video generators to distribute malware, Google’s threat intelligence unit Mandiant .
• Virus Bulletin: Google Mandiant Threat Defense investigates a UNC6032 campaign that exploits interest in AI tools. UNC6032 utilizes fake “AI video generator†websites to deliver malware leading to the deployment of Python-based infostealers and several backdoors.
• hackread.com: Fake ChatGPT and InVideo AI Downloads Deliver Ransomware
• PCMag Middle East ai: Be Careful With Facebook Ads for AI Video Generators: They Could Be Malware
• Threat Intelligence: Text-to-Malware: How Cybercriminals Weaponize Fake AI-Themed Websites
• ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
• aboutdfir.com: Google warns of Vietnam-based hackers using bogus AI video generators to spread malware
• BleepingComputer: Cybercriminals exploit AI hype to spread ransomware, malware
• www.pcrisk.com: Novel infostealer with Vietnamese attribution
• ciso2ciso.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools – Source:thehackernews.com
• securityonline.info: Warning: Fake AI Tools Spread CyberLock Ransomware and Numero Destructive Malware
• Vulnerable U: Fake AI Video Generators Deliver Rust-Based Malware via Malicious Ads Analysis of UNC6032’s Facebook and LinkedIn ad blitz shows social-engineered ZIPs leading to multi-stage Python and DLL side-loading toolkits
• oodaloop.com: Cybercriminals Target AI Users with Malware-Loaded Installers Posing as Popular Tools
• OODAloop: Artificial intelligence tools are being used by cybercriminals to target users and propagate threats. The CyberLock and Lucky_Gh0$t ransomware families are some of the threats involved in the operations. The cybercriminals are using fake installers for popular AI tools like OpenAI’s ChatGPT and InVideoAI to lure in their victims.
• bsky.app: LinkedIn is littered with links to lurking infostealers, disguised as AI video tools Deceptive ads for AI video tools posted on LinkedIn and Facebook are directing unsuspecting users to fraudulent websites, mimicking legitimate AI tools such as Luma AI, Canva Dream Lab, and Kling AI.
• BGR: AI products that sound too good to be true might be malware in disguise
• Security Risk Advisors: Cisco Talos Uncovers Multiple Malware Families Disguised as Legitimate AI Tool Installers
• blog.talosintelligence.com: Cisco Talos discovers malware campaign exploiting #AI tool installers. #CyberLock #ransomware #Lucky_Gh0$t & new "Numero" malware disguised as legitimate AI installers.
• cyberpress.org: ClickFix Technique Used by Threat Actors to Spread EddieStealer Malware
• phishingtackle.com: Hackers Exploit TikTok Trends to Spread Malware Via ClickFix
• gbhackers.com: Threat Actors Leverage ClickFix Technique to Deploy EddieStealer Malware

Classification:

• HashTags: #AI #Malware #SocialEngineering
• Company: Mandiant
• Target: AI Users
• Attacker: UNC6032
• Feature: Malvertising
• Malware: EDDIESTEALER
• Type: Malware
• Severity: Major