Cyber criminals are spreading malware disguised as popular tool installers to target B2B sales and the technology and marketing sectors, according to new threat research.
Cisco Talos said it has found the CyberLock and Lucky_Gh0$t ransomware, along with a newly-discovered malware dubbed ‘Numero’, masquerading as popular and legitimate AI tool installers to dupe victims.
Chetan Raghuprasad, a cybersecurity researcher at Cisco Talos, said threat actors are employing a “variety of techniques and channels” to target victims in these campaigns.
Common tactics include SEO poisoning techniques which aim to manipulate search engine rankings to place malicious websites at the top of search results.
Other communications channels, such as Telegram or assorted social media messaging apps, are also being employed, he added.
“As a result, unsuspecting businesses in search of AI solutions may be deceived into downloading counterfeit tools in which malware is embedded,” Raghuprasad explained.
“This practice poses a significant risk, as it not only compromises sensitive business data and financial assets but also undermines trust in legitimate AI market solutions.”
How hackers are targeting victims
CyberLock ransomware focuses mainly on encrypting specific files on the victim’s system, with the ransom note claiming that the $50,000 ransom payment will be allocated for humanitarian aid in various regions, including Palestine, Ukraine, Africa, and Asia.
In these latest attacks, threat actors have created a lookalike fake AI solution website with the domain ‘novaleadsai[.]com’. This is apparently masquerading as the genuine website domain ‘novaleads.app’ – a lead monetization platform.
Lucky_Gh0$t, meanwhile, is a variant of the Yashma ransomware that is being disguised as a ChatGPT installer with the file name ‘ChatGPT 4.0 full version – Premium.exe’.
“The malicious SFX installer included a folder that contained the Lucky_Gh0$t ransomware executable with the filename ‘dwn.exe’, which imitates the legitimate Microsoft executable ‘dwm.exe’,” said Raghuprasad.
“The folder also contained legitimate Microsoft open source AI tools that are available on their GitHub repository for developers and data scientists working with AI, particularly within the Azure ecosystem.”
Including the legitimate tools in the SFX archive may allow the malware to evade detection by anti-malware file scanners, researchers warned.
Finally, the newly-identified malware, Numero, manipulates the graphical user interface (GUI) components of victims’ Windows OS’, rendering systems completely unusable.
It’s being disguised as the AI video creation tool installer, InVideo AI, an online platform widely used for marketing videos, social media content, explainer videos and presentations.
Cisco Talos said this manipulates the graphical user interface (GUI) components of victim’ Windows OSs, rendering systems completely unusable.
MORE FROM ITPRO
Source link
-
-
-
-
-
-
-
-
