Unmasking the Year-Long Deception: Fake AI Tools and Malware Threats

Anna Jensen -

In a shocking revelation, online scammers have manipulated the buzz around generative artificial intelligence into a malicious campaign that has been ongoing for a year. According to a report by threat intelligence firm Google Mandiant, these fraudsters have been distributing infostealers and backdoors under the guise of AI utilities.

The Deceptive Strategy

In a clever twist, the threat actor group dubbed UNC6032, reportedly linked to Vietnam, has been harnessing thousands of misleading ads prominently featured on platforms like Facebook and LinkedIn. Masquerading as legitimate entities such as Luma AI, Canva Dream Lab, and Kling AI, these ads lead unsuspecting users to nearly-identical fake websites. Here, instead of the promised AI-generated content, users receive a malware-laden file, which was intended to be an AI video generation.

A Widespread Impact

Mandiant’s thorough examination uncovered that these ads have reached approximately 2.3 million individuals within the European Union alone. This alarming data echoes previous findings from the security firm Morphisec, reporting similar observations.

The Evasive Techniques

What sets UNC6032 apart is their nimbleness in avoiding detection. Newly registered domains are utilized swiftly in ads, sometimes within hours of going live. These domains are supported by compromised Facebook accounts, through which deceptive ads are continuously published. As reported, some LinkedIn ads potentially reached up to 250,000 individuals via the rogue site klingxai.com.

Malware Disguised as AI

The fake sites closely replicate genuine AI service interfaces and logos. One fraudulent site depicted as ‘Luma Dream AI Machine’ presented regular video creation options. Upon user interaction, the site feigned a processing sequence before displaying a ‘download’ button that concealed a harmful zip archive. The malware, Starkveil, included within this archive, comprises modular families like Grimpull, XWorm, and Frostrift, which are capable of data theft and system compromise.

Innovations in Malware Delivery

Crafted in Rust, Starkveil employs ingenious techniques such as the double-extension trick using invisible braille Unicode characters to hide malicious executable files under benign file types. Post execution, Starkveil releases embedded archives into trusted Windows processes, making use of obfuscation to remain undetected.

A Continuous Threat

Regular updates to the malicious group’s infrastructure allow them to host constantly evolving payloads. Their resilient tactics include dynamically obfuscating payloads, making static detection increasingly challenging. The malware continues to gain persistence by embedding AutoRun registry keys and side-loading harmful DLLs through legitimate executable routes.

Legislative and Cybersecurity Responses

The report highlights actions by Meta to dismantle these harmful ads and eliminate the domains associated with their spread. Moreover, LinkedIn has introduced transparency tools providing insights into ad reach and targeting patterns, assisting investigators in assessing the breadth of exposure.

According to GovInfoSecurity, this malicious campaign serves as a chilling reminder of the ongoing battle against cybercrime, urging vigilance and rapid adaptation from cybersecurity entities around the globe.