New
Russian hackers Hides Malware in AI “Deepnude” Sites
In recent cybercrime developments, the infamous FIN7 group has been linked to a network of fake AI-powered deepnude generator sites, luring unsuspecting users into downloading malicious payloads under the guise of “free” deepfake tools. This campaign highlights the growing intersection of artificial intelligence (AI) and cyber threats, particularly through deepfake technology.
FIN7: A Well-Established Cybercriminal Group
FIN7, also known as Sangria Tempest, is a financially motivated cybercrime group with roots dating back to 2013. The group is known for its sophisticated social engineering tactics and malware campaigns, often targeting industries such as retail, finance, and tech.
The group’s latest strategy involves AI deepfake technology, offering websites that claim to provide tools for generating fake nude images of individuals. This technology has garnered attention due to its unethical use in creating non-consensual explicit images.
AI Deepnude Honeypots
FIN7 has created a series of honeypot websites that promise users access to an “AI deepnude generator.” These websites offer either a free download or a free trial option, but both ultimately result in users downloading malware. The malware is often disguised within a zip file that appears legitimate.
Silent Push researchers identified two main types of honeypot traps:
- Free download sites: These sites lure users to click a “download” link, redirecting them to a – malicious payload hosted on a domain like Dropbox .
- Free trial sites: Users are prompted to upload images, but instead of receiving the promised result, they are served malware, such as Redline Stealer or Lumma Stealer, which can extract sensitive information from victims (source).
Step 1 asks the user to click on the “Free Download” link, and step 2 requests that they download from a link hosted on the trial-uploader[.]store, which links to a Dropbox payload.
FIN7 “free trial” honeypots
The AI Deepfake Honeypots have a unique version on domains like ai-nude[.]pro, which has a “Free trial” link on the homepage.
If a site visitor clicks the “Free Trial” button, the user is prompted to upload an image.
If an image is uploaded, the user is next prompted with a “Trial is ready for download” message saying, “Access scientific materials for personal use only.” A corresponding pop-up requires the user to answer the question, “The link is for personal use only, do you agree?”
If the user agrees and clicks “Download” they are served a zip file with a malicious payload. This other FIN7 payload is a more classic “Lumma Stealer” and uses a DLL side-loading technique for execution.
SEO Tactics to Increase Exposure
To increase the visibility of these malicious websites, FIN7 employs black hat SEO tactics. By optimizing search results, they position these websites prominently in search engines, targeting individuals looking for AI deepfake tools. This technique increases the likelihood of unsuspecting users visiting the sites and downloading malware.
FIN7 is hosting multiple honeypots of malware under the brand “aiNude[.]ai” in addition to:
- easynude[.]website
- ai-nude[.]cloud
- ai-nude[.]click
- ai-nude[.]pro
- nude-ai[.]pro
- ai-nude[.]adult
- ainude[.]site
The Use of Malware Variants
FIN7’s operation involves the use of multiple malware strains:
- Redline Stealer: A tool used to steal credentials, cookies, and other sensitive data.
- NetSupport RAT: A Remote Access Trojan used for deeper infiltration into the victim’s system.
- D3F@ck Loader: Another malware variant used by FIN7 to load additional malicious software onto victims’ machines (link).
- The Deepnude Generator .EXE uses “Inno Setup” for the initial payload packing.
Global Reach and Impact
The scale of FIN7’s operation is massive. Silent Push discovered over 4,000 malicious domains associated with this campaign, some of which spoof well-known brands like Microsoft and SAP Concur . This widespread phishing and malware distribution is not limited to individuals, as corporate networks are also at risk due to the potential of ransomware deployment.
How to Protect Against FIN7’s Threats
To protect yourself or your organization from these types of attacks:
1. Avoid downloading files from suspicious websites, particularly those offering free AI tools.
2. Monitor search engine results for black hat SEO tactics and avoid engaging with sites offering too-good-to-be-true services.
3. Implement endpoint protection to detect malware before it causes harm.
4. Stay informed of emerging threats through cybersecurity resources like Silent Push.