Cybercriminals are leveraging deceptive artificial intelligence (AI) bots to distribute malware, raising substantial security concerns. ESET security researchers revealed a campaign where a Facebook ad promoted the download of what appeared to be the latest version of Google’s authentic AI tool, “Bard”.
However, several inconsistencies in the ad raised suspicions, including a link that directed users to an unfamiliar domain, rebrand.ly, located in Dublin, Ireland. Deeper investigation by ESET’s Thomas Uhlemann uncovered language anomalies, time-stamped comments, and a potential connection to attackers in Vietnam.
Further scrutiny revealed a suspicious link flagged by antivirus vendors, leading to a webpage masquerading as a legitimate Google site, hosted on Google’s cloud infrastructure but unrelated to the company. Indicators such as a Vietnamese title and language anomalies suggested a link to attackers in Vietnam.
The “Download” button led to a personal Google Drive space, seemingly legitimizing the malware distribution as an official Google service. The downloaded file, named GoogleAIUpdate.rar, was password protected and contained a malicious MSI installer that antivirus software quickly flagged as harmful.
Despite this campaign’s exposure, ESET’s Uhlemann noted its persistence and potential expansion, encountering variations like “meta AI” or other fake “Google AI” ads. This revelation underscores the increasing use of AI bots by cybercriminals to propagate malware, urging vigilance in scrutinizing suspicious AI-related offerings and reinforcing the importance of robust cybersecurity practices.