Full Report
The constantly changing cyber threat landscape is seeing the emergence of new malware variants driven by the widespread adoption of AI and its exploitation for offensive purposes. Defenders have recently observed adversaries weaponizing fake AI-powered tools to lure users into downloading a new information-stealing malware known as Noodlophile. The malware is often promoted through fake […] The post Noodlophile Stealer Detection: Novel Malware Distributed Through Fake AI Video Generation Tools appeared first on SOC Prime.
Analysis Summary
# Tool/Technique: Noodlophile Stealer
## Overview
Noodlophile Stealer is a piece of malware designed to steal information, which is being distributed via social engineering tactics leveraging the popularity of AI video generation tools. Attackers set up fake websites promising AI-generated content, tricking users into downloading a malicious archive containing the malware chain.
## Technical Details
- Type: Malware family
- Platform: Windows (implied by the execution chain involving a legitimate Windows executable and .NET/Python)
- Capabilities: Information stealing; potential for RAT capabilities if bundled with XWorm.
- First Seen: May 2025 (based on the article's publication date)
## MITRE ATT&CK Mapping
*Note: Specific TTPs for Noodlophile Stealer itself are not detailed, but the observed distribution and initial execution methods can be mapped.*
- TA0001 - Initial Access
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Used via fake websites)
- TA0002 - Execution
- T1204 - User Execution
- T1204.002 - Malicious File
- TA0011 - Command and Control
- T1071 - Application Layer Protocol (Implied for payload download and C2 communication)
## Functionality
### Core Capabilities
- **Distribution Method:** Deception using fake AI video generation websites.
- **Initial Dropper:** Infection starts with a ZIP file (`VideoDreamAI.zip`) containing a deceptive executable (`Video Dream MachineAI.mp4.exe`).
- **Execution Chain:** The deceptive executable leverages a legitimate executable tied to ByteDance’s video editor (CapCut) to launch a .NET-based loader (`CapCutLoader`).
- **Payload Delivery:** `CapCutLoader` downloads and executes a Python payload remotely, which deploys the Noodlophile Stealer.
### Advanced Features
- **Malware Chaining:** Uses legitimate software component execution (via the CapCut executable) to obfuscate malicious activity.
- **Bundling with RATs:** Can be bundled with Remote Access Trojans (RATs) such as XWorm, granting persistent access to compromised systems.
## Indicators of Compromise
- **File Hashes:** [None provided in the context]
- **File Names:** `VideoDreamAI.zip`, `Video Dream MachineAI.mp4.exe`
- **Registry Keys:** [Not provided in the context]
- **Network Indicators:** [None explicitly provided, except for the capability to download a Python payload from a remote server.]
- **Behavioral Indicators:** Execution chain involving a legitimate CapCut executable launching a .NET loader, followed by a Python payload execution.
## Associated Threat Actors
- The developer is mentioned as likely being from Vietnam, promoting the technique on social media.
## Detection Methods
- **Signature-based detection:** Applicable for known hashes of the loader, stealer, or C2 infrastructure once identified.
- **Behavioral detection:** Monitoring for the unusual launching of a .NET loader (`CapCutLoader`) following the execution of the deceptive `.mp4.exe` file. Monitoring for the download and execution of a Python payload from a remote source initiated by a legitimate application process.
- **YARA rules:** [Not provided in the context]
## Mitigation Strategies
- **Prevention measures:** Educate users about the risks associated with downloading files from unsolicited sources, especially those promising access to novel technologies like AI tools.
- **Hardening recommendations:** Implement application control policies to restrict execution from unusual locations or by processes exhibiting secondary process spawning indicative of malware loaders. Ensure antivirus/EDR solutions aggressively monitor anomalous process relationship trees (e.g., legitimate video editor components spawning loaders).
## Related Tools/Techniques
- **XWorm:** Mentioned as a RAT that can be bundled with Noodlophile Stealer for persistent access.
- **CapCutLoader:** The specific .NET-based loader used in the initial execution chain.