Connect with us

New

Russian hackers Hides Malware in AI “Deepnude” Sites

Published

, on

In recent cybercrime developments, the infamous FIN7 group has been linked to a network of fake AI-powered deepnude generator sites, luring unsuspecting users into downloading malicious payloads under the guise of “free” deepfake tools. This campaign highlights the growing intersection of artificial intelligence (AI) and cyber threats, particularly through deepfake technology.

FIN7: A Well-Established Cybercriminal Group

FIN7, also known as Sangria Tempest, is a financially motivated cybercrime group with roots dating back to 2013. The group is known for its sophisticated social engineering tactics and malware campaigns, often targeting industries such as retail, finance, and tech.

The group’s latest strategy involves AI deepfake technology, offering websites that claim to provide tools for generating fake nude images of individuals. This technology has garnered attention due to its unethical use in creating non-consensual explicit images.

AI Deepnude Honeypots

FIN7 has created a series of honeypot websites that promise users access to an “AI deepnude generator.” These websites offer either a free download or a free trial option, but both ultimately result in users downloading malware. The malware is often disguised within a zip file that appears legitimate.

Silent Push researchers identified two main types of honeypot traps:

  • Free download sites: These sites lure users to click a “download” link, redirecting them to a – malicious payload hosted on a domain like Dropbox .
  • Free trial sites: Users are prompted to upload images, but instead of receiving the promised result, they are served malware, such as Redline Stealer or Lumma Stealer, which can extract sensitive information from victims (source).

Step 1 asks the user to click on the “Free Download” link, and step 2 requests that they download from a link hosted on the trial-uploader[.]store, which links to a Dropbox payload.

Screenshot showing 'File is ready to download...' on malicious site.
Step 2: File is ready to download

FIN7 “free trial” honeypots

The AI Deepfake Honeypots have a unique version on domains like ai-nude[.]pro, which has a “Free trial” link on the homepage.​

aiNude[.]ai Deepnude Generator click “free trial” offering honeypot
aiNude[.]ai Deepnude Generator click “free trial” offering honeypot

If a site visitor clicks the “Free Trial” button, the user is prompted to upload an image.

If an image is uploaded, the user is next prompted with a “Trial is ready for download” message saying, “Access scientific materials for personal use only.”​ A corresponding pop-up requires the user to answer the question, “The link is for personal use only, do you agree?” ​

“Trial is ready for download” pop-up appears

If the user agrees and clicks “Download” they are served a zip file with a malicious payload. This other FIN7 payload is a more classic “Lumma Stealer” and uses a DLL side-loading technique for execution.

On clicking download, a zip file appears
On clicking download, a zip file appears

SEO Tactics to Increase Exposure

To increase the visibility of these malicious websites, FIN7 employs black hat SEO tactics. By optimizing search results, they position these websites prominently in search engines, targeting individuals looking for AI deepfake tools. This technique increases the likelihood of unsuspecting users visiting the sites and downloading malware.

FIN7 is hosting multiple honeypots of malware under the brand “aiNude[.]ai” in addition to:

  • easynude[.]website​
  • ai-nude[.]cloud​
  • ai-nude[.]click​
  • ai-nude[.]pro​
  • nude-ai[.]pro​
  • ai-nude[.]adult​
  • ainude[.]site

The Use of Malware Variants

FIN7’s operation involves the use of multiple malware strains:

  • Redline Stealer: A tool used to steal credentials, cookies, and other sensitive data.
  • NetSupport RAT: A Remote Access Trojan used for deeper infiltration into the victim’s system.
  • D3F@ck Loader: Another malware variant used by FIN7 to load additional malicious software onto victims’ machines (link).
  • The Deepnude Generator .EXE uses “Inno Setup” for the initial payload packing.​

Global Reach and Impact

The scale of FIN7’s operation is massive. Silent Push discovered over 4,000 malicious domains associated with this campaign, some of which spoof well-known brands like Microsoft and SAP Concur . This widespread phishing and malware distribution is not limited to individuals, as corporate networks are also at risk due to the potential of ransomware deployment.

How to Protect Against FIN7’s Threats

To protect yourself or your organization from these types of attacks:

1. Avoid downloading files from suspicious websites, particularly those offering free AI tools.

2. Monitor search engine results for black hat SEO tactics and avoid engaging with sites offering too-good-to-be-true services.

3. Implement endpoint protection to detect malware before it causes harm.

4. Stay informed of emerging threats through cybersecurity resources like Silent Push.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending