Fake AI tool installers are actively spreading threats. These lures target users seeking popular AI tools. OpenAI ChatGPT and InVideo AI are commonly mimicked. Propagated malware includes CyberLock and Lucky_Gh0$t ransomware. A new destructive malware called Numero also spreads. Cisco Talos detailed these emerging cybersecurity threats recently. CyberLock is a PowerShell-based ransomware. It encrypts specific files on the victim’s system. Lucky_Gh0$t is a variant of Yashma ransomware. Numero malware destructively manipulates the Windows GUI. This manipulation renders infected machines completely unusable. Business-to-business sales and marketing sectors are primary targets.
One specific fake AI solution website is “novaleadsai[.]com.”
It likely impersonates a lead monetization platform. Search engine optimization poisoning probably promotes this bogus website. It falsely offers free first-year access to a tool. A monthly $95 subscription fee applies thereafter. Instead, users download a deceptive ZIP archive. This archive contains “NovaLeadsAI.exe,” a .NET loader. This loader then deploys the PowerShell-based CyberLock ransomware. CyberLock attempts to escalate its privileges. It encrypts files on C, D, and E drives. A ransom note demands a $50,000 payment. This payment must be in Monero currency. The note claims funds support various humanitarian causes. Finally, “cipher.exe” securely wipes free disk space.
Threat actors also distribute the Lucky_Gh0$t ransomware. They use a fake installer for a premium ChatGPT version. The malicious SFX installer contains a file named “dwn.exe.” This is the Lucky_Gh0$t ransomware executable itself. The installer also deceptively includes legitimate Microsoft AI tools. The SFX script executes the ransomware payload when run. Lucky_Gh0$t, a Yashma variant, targets smaller files. It deletes volume shadow copies and backups first. A ransom note provides victims with a unique ID. Numero malware spreads via a counterfeit InVideo AI installer. This installer acts as a dropper with three components. A batch file then runs Numero in an infinite loop. Numero overwrites the desktop GUI with a numeric string.
Google’s Mandiant recently revealed a related malvertising campaign.
This campaign uses malicious ads on popular platforms. These ads appear on Facebook and LinkedIn. Users are redirected to fake AI video generator websites. These sites impersonate tools like Luma AI and Canva Dream Lab. Threat cluster UNC6032 is attributed to this activity. This group has a suspected Vietnam nexus. The campaign has been active since at least mid-2024. Unsuspecting users are prompted to generate a video. The website then initiates a download. This download is a Rust-based dropper called STARKVEIL. STARKVEIL, in turn, deploys three modular malware families. These are GRIMPULL, FROSTRIFT, and the XWorm RAT. They primarily steal information and can download more plugins.
Reference:
