A new information-stealing malware called Noodlophile is being spread through fake AI-powered video generation tools. These tools are marketed on high-visibility Facebook groups, promoting enticing names like “Dream Machine.” Users are promised AI-generated videos, but the tools deliver malware instead. This new malware is sold on dark web forums, often bundled with additional services, marking it as part of a larger malware-as-a-service operation linked to Vietnamese-speaking cybercriminals.
Once a user visits the malicious website and uploads their files, they are tricked into downloading a ZIP archive.
The archive contains a fake MP4 file and a hidden folder needed for further stages of infection. The executable, disguised as a video file, is actually a repurposed version of a legitimate video editing tool, CapCut. The deceptive file naming and digital certificate allow the malware to evade detection by both users and some security solutions.
After the user runs the malicious file, a series of executables are triggered, eventually executing a batch script to decode a password-protected RAR archive.
This archive masquerades as a PDF document but contains further malicious payloads. The script adds a registry key for persistence and runs an obfuscated Python script, eventually deploying the Noodlophile Stealer. The malware can evade security measures like Avast by using techniques such as PE hollowing or shellcode injection for in-memory execution.
Noodlophile targets sensitive data stored in web browsers, including credentials, session cookies, tokens, and cryptocurrency wallet files. Stolen data is sent to attackers via a Telegram bot, which serves as the command and control server. In some cases, the malware is bundled with XWorm, a remote access trojan, to enhance its data theft capabilities. Experts recommend avoiding downloads from untrusted websites, verifying file extensions, and scanning files with updated antivirus software for protection.
Reference:
