Threat Research

Beware of fake AI tools masking a very real malware threat

Cyware

GenAI tools are being exploited by cybercriminals to distribute malware through phishing sites, fake apps, malicious ads, and deceptive browser extensions that impersonate legitimate GenAI tools. The article explains how these lures work and offers practical steps to spot and avoid them. #RilideStealer #Snowflake

Keypoints

  • Cybercriminals use phishing sites to trick users into installing malware disguised as GenAI software.
  • Malicious browser extensions (e.g., Rilide Stealer V4) harvest sensitive data such as Facebook credentials.
  • Fake GenAI apps in mobile app stores often contain malware designed to steal data or fund scams.
  • Malicious ads on social media impersonate GenAI tools to push users toward harmful software.
  • Threat actors hijack legitimate accounts/pages to run fake ads that promote malware-laden links.
  • Defenses include downloading from official stores, verifying developers, enabling MFA, and using security software.

MITRE Techniques

  • [T1566.001] Phishing – Cybercriminals use phishing sites to trick users into installing malware disguised as GenAI software. “Victims arrive there after clicking through from a link on social media, or via an email/mobile message.”
  • [T1036] Masquerading – Threat actors hijack a legitimate account or page and modify it to appear as an authentic GenAI-branded page. “Threat actors hijack a legitimate account or page, change the profile information to make it appears as if an authentic ChatGPT or other GenAI-branded page.”
  • [T1555.003] Credentials from Web Browsers – Infostealer payload in a browser extension harvests credentials such as Facebook login data. “designed to harvest users’ Facebook credentials.”
  • [T1189] Drive-by Compromise – Malicious ads (e.g., on Facebook) deliver infostealer malware by luring users to compromised or deceptive pages. “Malicious Facebook ads are particularly prevalent… campaigns designed to compromise ‘businesses with access to ad accounts across the internet’.”

Indicators of Compromise

  • [Domain] chapgpt – malicious domains containing “chapgpt” used in campaigns to spread malware via GenAI lures
  • [File name] Rilide Stealer V4 – infostealer payload used by browser extensions to harvest credentials
  • [URL] https://web-assets.esetstatic.com/wls/en/papers/threat-reports/eset-threat-report-h12024.pdf – source documenting the associated threats

Read more: https://www.welivesecurity.com/en/cybersecurity/beware-fake-ai-tools-masking-very-real-malware-threat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint