Threat Actors Manipulate Search Results, Exploit ChatGPT and Luma AI Popularity to Deliver Malicious Payloads

Threat actors are leveraging the soaring popularity of AI tools like ChatGPT and Luma AI to distribute malware through deceptive websites.

Zscaler ThreatLabz researchers have uncovered a network of malicious AI-themed sites, often hosted on platforms like WordPress, that exploit Black Hat SEO techniques to poison search engine rankings.

These sites appear prominently in search results for trending AI keywords, such as “Luma AI blog,” tricking unsuspecting users into visiting them.

AI-Themed Websites

Once a user lands on such a page, a complex chain of malicious activities is triggered, ultimately delivering dangerous payloads like Vidar Stealer, Lumma Stealer, and Legion Loader.

The attack begins with a user clicking on a seemingly legitimate search result, leading to an AI-themed webpage embedded with malicious JavaScript hosted on trusted platforms like AWS CloudFront.

This script performs browser fingerprinting, collecting data such as browser version, window resolution, and user agent, which is then encrypted using XOR and sent to an attacker-controlled domain like gettrunkhomuto[.]info.

The server validates the data and initiates a multi-layered redirection process, often involving intermediate sites that check the victim’s public IP before directing them to the final malware download page.

Technical Breakdown of the Attack Chain

Notably, the JavaScript also detects ad blockers and DNS guards, halting the redirection if such protections are present, ensuring the attack remains undetected.

The malware payloads are often packaged in large installer files, such as 800MB NSIS installers for Vidar and Lumma Stealer, to bypass sandbox detection.

Legion Loader, on the other hand, is delivered via password-protected ZIP archives containing MSI files that deploy decoy software and execute malicious DLLs through techniques like process hollowing and DLL sideloading.

These payloads can steal sensitive data or install cryptocurrency-stealing browser extensions, posing significant risks to users.

The campaign’s sophistication extends to evasion tactics, including antivirus checks within NSIS scripts using Windows utilities like tasklist and findstr to terminate security processes from vendors like Quick Heal, Webroot, and Bitdefender.

Additionally, Legion Loader’s use of dynamic passwords retrieved from C2 servers and shellcode execution within hollowed-out explorer.exe processes highlights the attackers’ focus on stealth.

Zscaler’s multilayered cloud security platform has identified and mitigated these threats, detecting indicators for Lumma, Vidar, and Legion Loader under various threat names like Win32.PWS.Lumma and Win32.Dropper.LegionLoader.

Users are urged to exercise caution when searching for AI tools online, as the exploitation of trending topics for malware distribution continues to grow.

Below is a table of key Indicators of Compromise (IOCs) associated with this campaign for reference and mitigation purposes.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates