That Amazing AI Tool Could Be Dangerous Malware

The AI Gold Rush Lures Cybercriminals

Artificial intelligence remains a dominant force in the technology sector, making it an attractive target for cybercriminals seeking to exploit unsuspecting users. Recently, a cunning campaign surfaced on social media platforms like TikTok, where hackers uploaded clips narrated by AI that convinced users to install malware on their computers. Those who fell for the attack thought the videos provided instructions on activating pirated software.

This isn't the sole method attackers employ to leverage AI's popularity for distributing malware. This week, security researchers from Talos and Google’s Mandiant released reports detailing these new AI-driven attack strategies.

Cybercriminals are deceiving individuals into downloading malicious applications by marketing them as desirable AI tools for either personal or professional use.

While exploring AI tools like ChatGPT or Gemini is advisable to prepare for the evolving technological landscape, and your future career might even rely on AI proficiency, this doesn't mean you should resort to AI products from dubious origins or attempt to bypass costs associated with premium features.

Similar to most software, genuine AI programs typically are not entirely free. Be wary of offers from third-party providers that seem excessively generous, as these could be ploys by hackers eager to infect your devices with malware.

Mandiant Exposes UNC6032s Deceptive Social Media Tactics

Example of malicious Facebook ads promoting AI services from Mandiant’s report. Image source: Mandiant

Mandiant's report, released on Tuesday, detailed the activities of a Vietnam-based cybercriminal group identified as UNC6032. This group created advertisements on social media platforms such as Facebook and LinkedIn, promoting legitimate AI video generation tools like Luma AI, Canva Dream Lab, and Kling AI. However, these ads directed users to fraudulent websites, which then tricked them into downloading malware disguised as the free AI-generated videos they expected.

Individuals who opened these deceptive files inadvertently installed malware designed to steal login credentials, record keystrokes, and potentially gain unauthorized access to their bank accounts.

The malware is persistent, continuing to operate even after a system restart. This persistence can grant hackers remote control over the infected computer, expanding their opportunities for further malicious activities.

Talos Unmasks Malware Disguised as Premium AI Tools

On Thursday, Talos released its own report, outlining three distinct types of malware camouflaged as premium AI software.

Example of a fake website promoting an AI service from the Talos report. Image source: Talos

In one instance, users believe they are acquiring an AI lead-generation tool named NovaLeadsAI, tempted by an offer of 12 months of free access followed by a $95 monthly fee. In truth, they are likely downloading CyberLock, one of the three malicious programs identified by Talos.

The other two malware strains include Lucky_Gh0$t, which falsely presents itself as a “full version” of ChatGPT 4.0, and Numero, which poses as an AI video generator named InVideo.

CyberLock and Lucky_Gh0$t are both forms of ransomware. CyberLock encrypts Windows machines and demands a $50,000 ransom in Monero cryptocurrency. Deceptively, the ransomware note claims the funds will support humanitarian efforts in various regions, a clear falsehood designed to manipulate victims, particularly businesses, into paying.

Lucky_Gh0$t targets files by encrypting those smaller than 1.2GB and deleting any files larger than this size.

Numero is also highly malicious. It executes an application that alters Windows user interface elements, rendering them non-functional. For instance, it might replace window titles or button text with strings like “1234567890,” making the computer virtually unusable.

Gauging the Impact and Industry Response

The exact number of individuals impacted by these AI-themed malware attacks remains uncertain.

Mandiant's investigation indicates that UNC6032's malicious Facebook ads may have reached over two million users in Europe. The number of users who subsequently downloaded the malware is unknown. LinkedIn advertisements from the group reached an estimated 50,000 to 250,000 individuals.

Meta informed The Register that it had removed the malicious advertisements, blocked the associated websites, and disabled the accounts involved, stating that many of these actions were taken “many before they were shared with us.”

Protecting Yourself in the Age of AI Deception

It bears repeating: avoid downloading free AI applications from untrustworthy sources. If an offer seems suspicious, it's best to steer clear, regardless of how appealing it may be. Whether you are new to AI or experienced, reputable free tools like ChatGPT or Gemini can be used to research questionable websites and the AI products they promote.

Furthermore, it is crucial to regularly back up your data to mitigate potential losses from ransomware attacks. For managing passwords and protecting banking information, use strong password managers, avoid reusing passwords across different accounts, and periodically update your login credentials.