Full Report
Counterfeit Facebook pages and sponsored ads on the social media platform are being employed to direct users to fake websites masquerading as Kling AI with the goal of tricking victims into downloading malware. Kling AI is an artificial intelligence (AI)-powered platform to synthesize images and videos from text and image prompts. Launched in June 2024, it's developed by Kuaishou Technology,
Analysis Summary
# Tool/Technique: PureHVNC RAT (and associated loader/stealer)
## Overview
A multi-stage malware deployment campaign impersonating the legitimate AI image/video generation platform Kling AI. The initial infection vector uses counterfeit Facebook pages and ads to redirect users to spoofed websites, leading to the download of a ZIP archive containing a loader, which subsequently deploys a Remote Access Trojan (RAT) and an information stealer.
## Technical Details
- Type: Malware (Loader, Remote Access Trojan, Information Stealer)
- Platform: Windows
- Capabilities: Remote code execution, persistence establishment, anti-analysis checks, data exfiltration (credentials, tokens), cryptocurrency wallet theft.
- First Seen: Early 2025
## MITRE ATT&CK Mapping
*Note: Specific mapping for the entire chain, focusing on the final RAT and loader behaviors.*
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1055 - Process Injection
- T1027 - Obfuscated Files or Information (.NET Reactor)
- **TA0011 - Command and Control**
- T1071.001 - Application Layer Protocol: Web Protocols (C2 Communication)
- **TA0010 - Collection**
- T1003 - OS Credential Dumping (Implied via credential theft)
- T1555.003 - Credentials from Web Browsers
- **TA0007 - Discovery**
- T1049 - System Network Connections Discovery (Implied via anti-analysis monitoring)
## Functionality
### Core Capabilities
- **Malicious Deployment:** Distributes a payload hidden within a ZIP archive, disguised using double file extensions and Hangul Filler characters (0xE3 0x85 0xA4) to mislead the user into executing a Windows executable.
- **Persistence:** Makes changes to the Windows Registry to ensure execution upon system startup.
- **Evasion:** Monitors for analysis tools (Wireshark, OllyDbg, Procmon, ProcExp, PeStudio, Fiddler).
- **Infection Chain:** Injects the second-stage payload into legitimate system processes like "CasPol.exe" or "InstallUtil.exe" to hide malicious activity.
### Advanced Features
- **Remote Access Trojan (RAT):** Deploys the **PureHVNC RAT** for full remote control.
- **Data Stealing:** Specifically targets and exfiltrates credentials and session tokens stored in Chromium-based browsers.
- **Cryptocurrency Theft:** The PureHVNC RAT includes modules to steal data from installed cryptocurrency wallet extensions.
- **Targeted Screenshotting:** Utilizes a plugin-based approach to capture screenshots selectively when window titles matching banks or wallet applications are opened.
- **Obfuscation:** The second-stage payload is obfuscated using **.NET Reactor**.
## Indicators of Compromise
- File Hashes: [Not provided in the source]
- File Names: Malicious Windows executable disguised with double extensions and Hangul Filler characters.
- Registry Keys: Used for persistence (details not specified).
- Network Indicators: C2 Server: `185.149.232[.]197` (defanged)
- Behavioral Indicators: Process injection into `CasPol.exe` or `InstallUtil.exe`; monitoring for process/network analysis tools.
## Associated Threat Actors
- Signs point towards Vietnamese threat actors, based on historical use of Facebook malvertising tactics for stealer distribution and known campaigns involving fake AI tools (e.g., Noodlophile campaign).
## Detection Methods
- Signature-based detection: Signatures targeting the known PureHVNC RAT payloads or the loader components.
- Behavioral detection: Monitoring for execution of unknown executables downloaded from spoofed high-profile AI sites, unauthorized registry modifications for persistence, and process injection into system binaries.
- YARA rules: Rules targeting the use of **.NET Reactor** obfuscation or unique strings associated with the PureHVNC RAT.
## Mitigation Strategies
- **User Education:** Caution users about unsolicited links from social media ads, especially those promising cutting-edge tools like generative AI services.
- **File Handling:** Implement stricter controls over executing files downloaded from unverified sources, focusing on executables delivered via ZIP archives or disguised extensions.
- **Application Control:** Restrict the execution of unauthorized binaries injected into legitimate trust processes like InstallUtil.exe.
- **Endpoint Detection & Response (EDR):** Deploy EDR solutions capable of detecting process injection, anti-analysis checks, and suspicious network connections to unknown C2 addresses.
## Related Tools/Techniques
- Noodlophile (Information stealer malware previously used by a Vietnamese threat actor leveraging fake AI lures).
- General social engineering via Facebook malvertising (a documented tactic used by Vietnamese threat groups).