Threat actors exploit AI to make their attacks more effective through automation, scanning large data sets for security gaps and creating intricate phishing scams that are harder to spot.
In addition, threat actors can employ AI to produce legit-looking fake content and evade security measures.
Cybersecurity researchers at Cyble recently identified that threat actors have been actively exploiting ChatGPT’s Sora AI to deliver malware.
Exploiting ChatGPT’s Sora AI Excitement
The Sora of OpenAI, an AI model that came out in February 2024 for text-to-video creation, has generated a lot of excitement in the tech community.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) - Free Guide
It has not yet been released, but cyber attackers already see its potential as a game changer in content creation.
Cyble Research and Intelligence Labs (CRIL) has identified several phishing sites pretending to be official platforms of Sora. These sites aim to deceive users, who will then distribute various types of malware.
Here below, we have mentioned the phishing sites:-
- hxxps://sorics-ai[.]web.app
- hxxps://sora-6b494[.]web.app
- hxxps://sorics-ai.web[.]app
- hxxps://soraai-pro-kit[.]web.app
- hxxps://sora-openai-generation[.]com
- hxxps://openai-soravideo[.]com
- hxxps://opensora-ai.web[.]app
- hxxps://opensora[.]info
By the end of July 2024, threat actors had successfully launched ingenious phishing attacks by exploiting the yet-to-be-released OpenAI Sora AI.
Their actions involved establishing fake websites such as “openai-soravideo[. ]com” and “sora-openai-generation[. ]com” which they promoted through compromised social media handles.
These sites tricked users into downloading malware posing as Sora software.
.webp "Threat Actors Exploiting ChatGPT's Sora AI Excitement To Deliver Malware 2")
The most distinguished one involved Braodo Stealer, which targeted Chrome, Firefox, Edge, Opera, Brave, and Chromium browsers to collect sensitive information and then send it over Telegram channels via API requests.
The malware used various methods for hiding malicious activity such as multi-level compression (zlib, bz2, gzip, lzma) and hexadecimal encoding making its detection by many antivirus systems difficult.
Cyber Research & Intelligence Labs (CRIL) researchers affirmed that several individuals were lured into these campaigns, often through sponsored ads, leading to substantial data breaches.
The sophisticated Sora-themed malware campaign employs multi-faceted information-stealing techniques.
One variant steals screenshots, login details, cookies, and autofill information from browsers like Edge, Chrome, CocCoc, Brave, Opera, and Firefox.
It zips the stolen data into a file named “.zip” and sends it to the attacker’s Telegram chat through API.
Another type employs PyInstaller and PyArmor obfuscation which hides python script that downloads and runs “manifest.bat” from “https://sealingshop.click/bat/loc.”
It collects sensitive information such as usernames, IP addresses, and browser data, excluding users from certain countries.
Afterward, it posts JSON encoded data to a ngrok domain (hxxps://f34f-103-14-48-195.ngrok-free.app) via a POST request.
It then installs two open-source cryptocurrency miners XMRig and lolMiner on the infected host system after exfiltration proving the campaign’s dual focus on data theft and cryptojacking.
Recommendations
Here below we have mentioned all the recommendations:-
- Educate users on phishing and unverified downloads.
- Verify URLs and legitimacy before installing apps.
- Implement advanced threat detection systems.
- Monitor social media for compromised accounts.
- Enforce MFA for all accounts and systems.
- Regularly back up and securely store data.
- Use web filtering to block malicious sites.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access