Full Report
The impact that AI has on society has steadily crept into the darkest nooks and crannies of the internet. So much so that cybercrooks are hitching free rides on the AI bandwagon by leveraging the increased demand of AI-powered software for content creators. Cybercriminal groups constantly adapt their operating methods and tools to stay a step ahead of potential victims. Highly focused on enhancing their deceptive practices, threat actors have, unfortunately, found a most reliable and powerful a
Analysis Summary
# Tool/Technique: Rilide Stealer V4
## Overview
Rilide Stealer V4 is an updated version of the Rilide Stealer, a malicious browser extension primarily targeting Chromium-based browsers. It is being distributed via malvertising campaigns impersonating popular generative AI software (like Sora, CapCut, Gemini AI), often hosted on compromised social media profiles (e.g., Facebook) using sponsored ads. Its main purpose is to harvest sensitive user information from compromised systems.
## Technical Details
- Type: Malware (Information Stealer)
- Platform: Chromium-based browsers (e.g., Google Chrome, Opera)
- Capabilities: Browser credential theft, cookie theft, form/autocomplete data harvesting, potentially cryptocurrency wallet access.
- First Seen: Mentioned as an updated version (V4) seen recently by Bitdefender researchers across various campaigns.
## MITRE ATT&CK Mapping
* **TA0009 - Credential Access**
* T1555 - Credentials from Password Stores
* T1555.003 - Credentials from Web Browsers
* **TA0010 - Exfiltration**
* T1041 - Exfiltration Over C2 Channel (Implied, for stealing data)
## Functionality
### Core Capabilities
- Targeting Chromium-based browsers.
- Stealing sensitive information stored within the browser environment.
- Specifically targets credentials, autocomplete data, and potentially credit card/crypto wallet information (based on associated campaign goals).
### Advanced Features
- Stealthy distribution via malvertising campaigns disguised as legitimate AI software updates/trials.
- Operates as a malicious extension.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [Not explicitly provided in the text, but delivered as a malicious executable/installer disguised as AI software]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: [Implied C2 communication for exfiltration - specific C2 addresses are not listed]
- Behavioral Indicators: Installation as a browser extension; attempts to harvest browser data stores (passwords, cookies).
## Associated Threat Actors
- Unspecified cybercriminal groups utilizing Malware-as-a-Service (MaaS) models.
## Detection Methods
- Signature-based detection (For known Rilide hashes/signatures).
- Behavioral detection (Monitoring for the installation of unexpected browser extensions or scripts accessing sensitive browser profile data).
- YARA rules: [Not explicitly provided in the text]
## Mitigation Strategies
- Employ layered security solutions with multi-layered protection.
- Keep software and operating systems up to date (using vulnerability scanners).
- Practice good cyber hygiene: Do not click on suspicious links, pop-ups, or download software from unknown sources.
- Only download applications from official stores and websites.
- Enable two-factor authentication.
- Utilize AI-powered scam detectors (like Scamio) to analyze suspicious links or content.
## Related Tools/Techniques
- Vidar Stealer
- IceRAT
- Nova Stealers
- Social engineering via malvertising campaigns on Facebook impersonating Midjourney, Sora AI, DALL-E 3, Evoto, and ChatGPT 5.
***
# Tool/Technique: Vidar Stealer
## Overview
Vidar Stealer is an information-stealing malware family noted for being distributed as part of malvertising campaigns impersonating popular AI software. Its primary function is to harvest sensitive information from infected systems.
## Technical Details
- Type: Malware (Information Stealer)
- Platform: Windows (Implied, common for stealers distributed this way)
- Capabilities: Harvesting credentials, autocomplete data, credit card information, and cryptocurrency wallet information.
- First Seen: [Not explicitly provided in the text]
## MITRE ATT&CK Mapping
* **TA0009 - Credential Access**
* T1555 - Credentials from Password Stores
* T1555.003 - Credentials from Web Browsers
* **TA0010 - Exfiltration**
* T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Stealing stored user credentials and sensitive data from the victim machine.
- Exfiltrating harvested data to threat actor-controlled infrastructure.
### Advanced Features
- Distributed via highly engaging malvertising campaigns potentially utilizing MaaS.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [Not explicitly provided in the text]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: [Implied C2 communication]
- Behavioral Indicators: Attempting to scrape data from browsers and wallet applications.
## Associated Threat Actors
- Unspecified cybercriminal groups utilizing Malware-as-a-Service (MaaS).
## Detection Methods
- Signature-based detection.
- Behavioral detection focusing on information enumeration and exfiltration attempts.
## Mitigation Strategies
- Use comprehensive, multi-layered security solutions.
- Maintain up-to-date systems and software.
- Avoid downloading software from untrusted links, especially those advertised on social media redirects.
- Employ strong authentication measures (2FA).
## Related Tools/Techniques
- Rilide Stealer
- IceRAT
- Nova Stealers
***
# Tool/Technique: IceRAT
## Overview
IceRAT is a remote access tool (RAT) mentioned as being distributed in the examined malvertising campaigns. While the article notes it is written in JPHP, its primary function is unauthorized access and control over compromised systems.
## Technical Details
- Type: Malware (Remote Access Trojan - RAT)
- Platform: Unspecified, but usage often implies compatibility with Windows environments targeted by other listed stealers.
- Capabilities: Providing threat actors with remote access, viewing system information, and executing commands on the compromised host.
- First Seen: [Not explicitly provided in the text]
## MITRE ATT&CK Mapping
* **TA0011 - Command and Control**
* T1071 - Application Layer Protocol
* **TA0007 - Discovery**
* T1082 - System Information Discovery (Implied by RAT functionality)
## Functionality
### Core Capabilities
- Establishing remote access to the compromised endpoint.
- Executing arbitrary commands given by the operator.
### Advanced Features
- Distributed alongside information stealers via AI-themed malvertising.
- Notably written in JPHP.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [Not explicitly provided in the text]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: [Implied C2 communication channel established by the RAT]
- Behavioral Indicators: Establishment of persistent network connections originating from the endpoint that deviate from normal user activity patterns.
## Associated Threat Actors
- Unspecified cybercriminal groups possibly leveraging MaaS infrastructure.
## Detection Methods
- Network traffic analysis revealing communication patterns consistent with RATs.
- Endpoint detection monitoring for unexpected processes or connections initiated by IceRAT.
## Mitigation Strategies
- Network segmentation and egress filtering to limit C2 communication.
- Strong endpoint protection to block initial execution of unknown binaries.
- Keep systems patched to prevent vulnerabilities that might allow RAT execution.
## Related Tools/Techniques
- Rilide Stealer
- Vidar Stealer
- Nova Stealers
***
# Tool/Technique: Nova Stealers
## Overview
Nova Stealers is another information-stealing malware identified as part of the payload mix delivered through these generative AI-themed malvertising campaigns. Like other items in this batch, its objective is the systematic harvesting of sensitive user data.
## Technical Details
- Type: Malware (Information Stealer)
- Platform: Unspecified (Likely Windows)
- Capabilities: Harvesting sensitive information such as credentials, auto-complete data, and financial details from the victim machine.
- First Seen: [Not explicitly provided in the text]
## MITRE ATT&CK Mapping
* **TA0009 - Credential Access**
* T1555 - Credentials from Password Stores
* T1555.003 - Credentials from Web Browsers
* **TA0010 - Exfiltration**
* T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Data collection from local system sources, particularly web browsers.
- Exfiltrating collected data to the threat actor.
### Advanced Features
- Part of a robust MaaS offering distributed through high-reach social media ads.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the text]
- File Names: [Not explicitly provided in the text]
- Registry Keys: [Not explicitly provided in the text]
- Network Indicators: [Implied C2 communication]
- Behavioral Indicators: Data staging followed by large outbound network transfers.
## Associated Threat Actors
- Threat actors utilizing Malware-as-a-Service platforms.
## Detection Methods
- Anomaly detection on data access patterns, particularly related to browser data files.
- Signatures specific to Nova Stealer binaries.
## Mitigation Strategies
- Limit user permissions on endpoints.
- Use advanced security software capable of detecting file-stealing behaviors.
- Educate users on social engineering risks associated with free software offers.
## Related Tools/Techniques
- Rilide Stealer
- Vidar Stealer
- IceRAT
***
# Technique: AI Software Impersonation via Malvertising
## Overview
This technique involves threat actors hijacking social media profiles (specifically Facebook) to create fraudulent pages impersonating popular generative AI software (e.g., Midjourney, Sora AI, DALL-E 3, ChatGPT 5). They use sponsored ads featuring AI-generated content and misleading descriptions to lure victims into downloading malicious payloads.
## Technical Details
- Type: Technique/Campaign Strategy
- Platform: Meta (Facebook) platforms; links often lead to phishing/malware distribution sites hosted on services like Dropbox, Google Drive, or GoFile.
- Capabilities: High-volume distribution of malware using trusted social media advertising infrastructure; high level of deception utilizing AI-generated visuals.
- First Seen: Ongoing exploitation of the rising popularity of generative AI (last year, observed until at least March 8, 2024, for the Midjourney campaign).
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1190 - Exploit Public-Facing Application (Indirectly, by hosting malicious links)
* **TA0007 - Discovery/Defense Evasion**
* T1036 - Masquerading (Impersonating legitimate AI services)
* **TA00011 - Persistence**
* T1583.004 - Acquire Infrastructure: Domains (Implied by creating lookalike websites)
## Functionality
### Core Capabilities
- Compromising existing Facebook accounts to run sponsored ad campaigns.
- Meticulously designing malicious pages to mirror official AI software providers.
- Using AI-generated visuals and convincing text to build trust.
### Advanced Features
- Leveraging the Malware-as-a-Service (MaaS) ecosystem to deploy multiple types of malware (Stealers and RATs) efficiently.
- Dynamically changing malicious payloads to evade security detection.
- Focused targeting (e.g., the Midjourney campaign targeted specific age groups and geographies in Europe).
## Indicators of Compromise
- File Hashes: [Associated payloads only]
- File Names: [Payload installer disguised as the legitimate AI tool]
- Registry Keys: [N/A for the distribution technique itself]
- Network Indicators: Malicious links pointing to file-sharing services (Dropbox, Google Drive, GoFile) distributing executables.
- Behavioral Indicators: Suspicious sponsored posts linking to external, non-official download sources.
## Associated Threat Actors
- Various cybercriminal entities leveraging MaaS networks.
## Detection Methods
- Monitoring social media ad platforms for ads linking to suspicious file-hosting domains offering "free" popular software.
- Browser/Endpoint detection systems triggering alerts on the execution of executables downloaded from non-enterprise URLs.
- Utilizing AI scam detectors to analyze suspicious links.
## Mitigation Strategies
- **User Education:** Users must only download software from official vendor websites or trusted app stores.
- **Security Software:** Deploy web filtering to block access to known malicious or newly registered domains masquerading as official sites.
- **Account Security:** Threat actors compromise accounts, highlighting the need for strong authentication (2FA) on social media accounts.
## Related Tools/Techniques
- Distribution methods similar to traditional Masquerading and Malvertising campaigns.
- Associated malware: Rilide Stealer, Vidar Stealer, IceRAT, Nova Stealers.