Full Report
A Vietnam-based group has spread thousands of advertisements, fake websites and social media posts promising access to popular prompt-to-video AI generation tools, delivering infostealers and backdoors instead. The post Mandiant flags fake AI video generators laced with malware appeared first on CyberScoop.
Analysis Summary
# Threat Actor: UNC6032
## Attribution & Identity
- **Identification:** Vietnam-based threat group.
- **Known Aliases and Associated Groups:** Tracked by Mandiant and Google Cloud as UNC6032.
## Activity Summary
Since mid-2024, UNC6032 has been running a campaign exploiting the public interest in prompt-to-video AI generation tools (like Luma AI, Canva Dream Lab, and Kling AI). They spread thousands of fraudulent advertisements, fake websites, and social media posts promising access to these tools. These lures ultimately lead to phishing pages and the deployment of malware on victim devices. The researchers noted that the use of AI as a social engineering lure to exploit a legitimate, emerging trend is a unique aspect of this campaign.
## Tactics, Techniques & Procedures
- Social engineering via lure of popular AI tools.
- Use of fake advertisements, websites, and social media posts (Facebook, LinkedIn) to distribute lures.
- Deployment of malware, specifically infostealers and backdoors, onto victim systems.
- Data exfiltration, including login credentials, cookies, credit card data, and Facebook information.
- *No specific MITRE ATT&CK IDs were provided in the text.*
## Targeting
- **Sectors:** A wide range of industries, though not explicitly detailed beyond the general impact.
- **Geography:** Wide geographic areas impacted.
- **Victims:** Generic victims targeted via online advertisements; specific organizations were not mentioned.
## Tools & Infrastructure
- **Malware families used:** Infostealers and backdoors.
- **Infrastructure (C2, domains, IPs):** Distributed via thousands of linked advertisements, fake websites, and social media posts on platforms like Facebook and LinkedIn. (No specific IP/domain defanged information available).
## Implications
UNC6032 is effectively leveraging a high-interest, emerging technology (AI video generation) as a primary infection vector. The campaign's reach is broad, affecting millions of users through social media platforms, indicating a large-scale, opportunistic operation designed to harvest sensitive user data from a wide spectrum of victims who may be less security-conscious due to their interest in new consumer technology.
## Mitigations
- Exercise caution when seeking downloads or access to popular, rapidly emerging software, especially via unsolicited advertisements or social media links.
- Organizations and users should be vigilant against phishing lures masquerading as legitimate AI tool access.
- Security teams should monitor for elevated attempts to harvest credentials, cookies, and payment information following any widespread technology trend, as threat actors quickly adapt lures.