Full Report
Fake AI-powered video generation tools are being used to distribute a new information-stealing malware family called 'Noodlophile,' under the guise of generated media content. [...]
Analysis Summary
# Tool/Technique: Noodlophile Infostealer
## Overview
Noodlophile is a newly discovered information stealer malware being distributed through fake AI video generator applications. Its primary purpose is to steal sensitive data from compromised systems, including browser credentials, session cookies, tokens, and cryptocurrency wallet files. It can also deploy remote access capabilities (like XWorm) for enhanced threat potential.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Inferred from tool usage like `certutil.exe` and common infostealer targets)
- Capabilities: Credential theft, session cookie theft, token theft, cryptocurrency wallet exfiltration, optional remote access deployment (via bundled XWorm).
- First Seen: Recently discovered/undocumented prior to this report.
## MITRE ATT&CK Mapping
*Note: Mappings are inferred based on described functionality.*
- **TA0001 - Initial Access** (Inferred via deceptive installers)
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Via malicious download sites)
- **TA0002 - Execution**
- T1204 - User Execution
- T1204.002 - Malicious File
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (Implied by adding a new Registry key for persistence)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Obfuscated Python script)
- T1055 - Process Injection
- T1055.012 - Process Hollowing (Used if Avast is detected)
- **TA0009 - Collection**
- T1119 - Automated Collection (Targeting browser data, wallets)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Telegram bot used for C2/exfiltration)
## Functionality
### Core Capabilities
- Stealing account credentials, session cookies, and tokens stored in web browsers.
- Exfiltrating cryptocurrency wallet files.
- Establishing persistence via Registry key modification.
- Downloading and executing payloads using legitimate utilities (`certutil.exe`).
### Advanced Features
- **Anti-Avast Evasion:** Utilizes PE hollowing to inject the payload into `RegAsm.exe` if Avast antivirus is detected.
- **In-Memory Execution:** Executes the primary payload (obfuscated Python script) in memory to avoid disk detection.
- **Modular Threat:** Can be bundled with XWorm RAT, granting attackers remote access capabilities in addition to passive data theft.
- **Covert C2:** Uses a Telegram bot as its Command and Control infrastructure for data exfiltration.
## Indicators of Compromise
- File Hashes: [Not provided in the context]
- File Names: `Document.docx` (Batch script wrapper), `install.bat`, `srchost.exe`, `randomuser2025.txt` (Python script)
- Registry Keys: [A new Registry key added for persistence - specific path/name not detailed]
- Network Indicators: Hardcoded remote server address for fetching the Python script; Telegram bot used for C2/exfiltration (Domain/IP defanged: `telegram[.]org` for C2 context).
- Behavioral Indicators: Execution of `certutil.exe` to decode base64 data; execution of an obfuscated Python script fetched remotely; process injection (PE hollowing) into `RegAsm.exe` or shellcode injection.
## Associated Threat Actors
- [Not explicitly named in the context, but associated with threat actors distributing malware via deceptive AI software.]
## Detection Methods
- Signature-based detection: Targeting known hashes of the components (if available).
- Behavioral detection: Monitoring for the execution chain, especially the combined use of `certutil.exe` to decode archives and subsequent in-memory execution of Python payloads. Detecting persistence mechanisms being added to the Registry. Monitoring network traffic communicating with known Telegram C2 infrastructure patterns.
- YARA rules: [Not provided in the context]
## Mitigation Strategies
- Prevention measures: Avoid downloading and executing files from unknown or untrusted websites, especially those promising free or cracked software like "AI video generators."
- Hardening recommendations: Implement application control policies to restrict the execution of unsigned scripts or unusual binaries. Employ advanced endpoint detection and response (EDR) solutions capable of deep process monitoring and memory analysis to detect PE hollowing and shellcode injection. Configure systems to distrust or block high-entropy inbound connections often associated with C2 like the implied Telegram traffic.
## Related Tools/Techniques
- XWorm (Remote Access Trojan, sometimes bundled)
- General Information Stealers (e.g., RedLine, Vidar)
- Use of legitimate/built-in tools for malicious purposes (Living off the Land - LOTL): `certutil.exe`