AI Trends: Exploitation by Infostealers and the Influence of Social Media
Background: It's a about a year, that threat actors started to abuse AI trends in a mix with social media , based on which they are spreading infostealers malware family via abusing social media platforms advertisements capability . Then already stolen data they are selling in different marketplaces .
Initial Access T1189 [ Drive-By-Download] analyze: Based on current analysis, attackers are purchasing Facebook business pages with follower counts ranging from 10,000 to 60,000. Subsequently, they are utilizing the same social network's advertising capabilities to disseminate a second payload page. Additionally, they are injecting the noted payload page into user feedback through legitimate means.
Execution T1204.001 [ Malicious Link ] & T204.002 [ Malicious File ] analyze: After a user clicks on a page link, the threat actor redirects the user to an impersonated application page. Subsequently, when the user clicks on a download link, the threat actors initiate a call to access cloud file storage assets for the harmful file download. These threat actors employ methods such as utilizing special access keys provided by default from cloud storage account vendors, or employing a separate password feature within a zip file. By using these tactics, they aim to reduce the risk of being discovered by various automation tools.
Persistence T1574.001 [ Registry Run Keys ] & T204.002 [ Malicious File ] analyze: Malware often uses the Windows Registry to create persistence, ensuring that it remains active even after the system is restarted. This persistence mechanism is commonly connected to a newly downloaded file, which serves as the main payload of the malware. Additionally, rather than storing the main payload directly in system directories, malwares tend to create their main payload in user-specific locations such as "C:/Users/ANYUSER/AppData/Local" or in the shared "C:/Users/Public" directory.
Credential Access T1555.003 [ Credential From Browser ] & T1539 [ Steal Web Session Cookie ]: In this stage, the main file accesses the predefined location of the web browser using the WMIC service.
Discovery T1012 [ Query Registry ] : Harmful chunk of code is using registry data to query victim machine information
Collection T1074.001 [ Local Data Staging ] : The malware takes a screenshot of the victim's system when it is first executed, and then creates an archive of files using the stolen data and cookies.
Exfiltration T1567.002 [ Exfiltration to Cloud Storage ] : Attacker using cloud storage capabilities like Telegram and Discord assets . And all these information malware usually sending it to that destination .
Current IOC's:
Domain URL's - sora-open[.]net, ai-lumi[.]cloud, humanpal[.]art, topazlabbs[.]com [typo name of real topazlabs]
Malicious file url: https[://]www[.]dropbox[.]com/scl/fi/2sh87t0auxuiyerjszn5q/TopazVideoAI-3-0-3.rar?rlkey=DATAREDACTED&st=DATAREDACTED&dl=1 , https[://]trello.com/1/cards/DATAREDACTED/attachments/DATAREDACTED/download/install_x86-64_build_3636.zip
Malicious installer files md5: 07459c5167305f932be15dfb4014b1c6 , 1FC24B9A4C5245B0B8F4AFFE705BDB17
Mitgations: 1. Restrict access to social media over network layer 2. Restrict un-authorized application installation on policy level 3. Always monitor registry sector which is responsible for autorun 4. Always monitor APPDATA and Users/Public folder in case of specific created files 5. Analyze commands like Reg query and other related processes