Hackers often make use of fake AI editor websites for several illicit purposes with malicious intent.
Among their prime activities are deceiving users into providing personal information, downloading malware, making payments for fraudulent services, and many more.
Recently, cybersecurity researchers at Trend Micro identified a sophisticated malvertising campaign that targeted social media users through a multi-step deception process that enabled them to steal login credentials.
Threat actors do so by taking over pages that deal with pictures and changing them to AI photo editors.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
Fake AI Editor Website
To boost these posts, the threat actor publishes deceiving posts with links to fake photo editing sites via sponsored advertising.
By downloading the alleged editor from these sites, the customers inadvertently install a harmless endpoint administration tool embedded with an infected setup file.
In this way, threat actors can control victims’ devices distantly in order to deploy credential stealers or steal valuable data.
Threat actors send Phishing messages to social media page administrators, often utilizing personalized link pages or Facebook’s open redirect URL to make them look genuine.
Trend Micro said that after gaining access to the accounts, the attackers posted malicious ads with links to fake AI photo editor websites.
These platforms imitate legitimate services such as Evoto, but in reality, they disseminate endpoint management software.
The campaign has seen significant traffic, with around 16,000 downloads for the Windows version and 1,200 hits on a non-functional macOS version, further illustrating how extensive and efficient this operation is at tricking users across different platforms.
The victims’ devices are unknowingly enrolled in the remote management system of ITarian after the latter disguises it as a photo editor MSI package.
This can be done by granting them full control without needing to use explicitly malicious components. Consequently, two actions will take place through enrollment that we have mentioned below:-
- A Python script downloads and executes Lumma Stealer, encrypted with PackLab Crypter.Â
- Another script disables Microsoft Defender scans for the C: drive.Â
Afterward, via specific POST requests, Lumma Stealer establishes communication with its command and control server where it gets base64 encoded configuration.
The stealer, when decrypted, gives instructions on what data to target and exfiltrate, especially focusing on social media credentials and other sensitive information contained here within this configuration.
Recommendations
Here below we have mentioned all the recommendations:-
- Enable MFA on all social media accounts.
- Regularly update and use strong, unique passwords.
- Educate employees on phishing dangers and recognizing suspicious links.
- Verify the legitimacy of links, especially those asking for personal information.
- Monitor accounts for unusual behavior.
- Use security solutions to detect abnormal activities.
- Employ endpoint technologies for multilayered protection.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access