Threat Research

Malware Distribution Exploited Through Sora AI-Themed Branding – Cyble

Securonix

Cybercriminals are leveraging OpenAI’s Sora branding to lure victims with phishing sites and compromised social media accounts, delivering malware disguised as legitimate software. The campaigns combine data-stealing payloads with cryptocurrency mining after exfiltration, using obfuscation and multiple delivery vectors to maximize reach. #SoraAI #BraodoStealer

Keypoints

  • Cybercriminals are using the Sora branding to create convincing phishing sites.
  • Targeting an unreleased application indicates proactive exploitation of emerging technologies.
  • Threat actors employ multiple vectors, including phishing sites and compromised social media accounts, to enhance their reach.
  • Compromised social media accounts lend credibility to phishing schemes, increasing their success rate.
  • Information-stealer malware used in these campaigns can evade mainstream antivirus detection.
  • After data exfiltration, cybercriminals deploy cryptocurrency mining software (e.g., XMRig and lolMiner) to monetize their activities.

MITRE Techniques

  • [T1204.001] User Execution: Malicious Link – Execution begins when a user downloads a zip file from a phishing website. “execution begins when a user downloads a zip file from a phishing website.”
  • [T1204.002] User Execution: Malicious File – The victim is required to execute the .bat or .exe from zip file. “The victim is required to execute the .bat or .exe from the zip file.”
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Batch script uses PowerShell to execute commands. “Batch script uses PowerShell to execute commands.”
  • [T1105] Ingress Tool Transfer – Script downloads files from remote servers. “Script downloads files from remote servers.”
  • [T1071.001] Application Layer Protocol: Web Protocols – Use of HTTPS for downloading files. “Use of HTTPS for downloading files.”
  • [T1027.001] Obfuscated Files or Information: Binary Padding – Null characters added in the executable. “Null characters added in the executable.”
  • [T1027.010] Obfuscated Files or Information: Command Obfuscation – Downloads base64 encoded Python script. “Downloads base64 encoded Python script.”
  • [T1036.005] Masquerading: Match Legitimate Name or Location – Malicious files are disguised with names like “OpenAI” or “GoDaddy” to appear legitimate. “Malicious files are disguised with names like “OpenAI” or “GoDaddy” to appear legitimate.”
  • [T1005] Data from Local System – Exfiltrate data from browser database files. “Exfiltrate data from browser database files.”
  • [T1020] Automated Exfiltration – Data is exfiltrated after collection. “Data is exfiltrated after collection.”
  • [T1567] Exfiltration Over Web Service – Telegram API and ngrok used for data exfiltration. “Telegram API and ngrok used for data exfiltration.”

Indicators of Compromise

  • [URL] Phishing sites – sora-openai-generation.com, openai-soravideo.com – Phishing sites promoting Sora impersonations.
  • [SHA256] – f371955bb96fa9aeefc5a6f2b9140100821ac3ab9e04a229c2184e1ea2551392, 8a307a9c08b38946fd124de1ddccbdbbe706589580dabc078b7009689e209248 – Open installer ZIPs for Sora OpenAI Pro variants.
  • [Domain] – f34f-103-14-48-195.ngrok-free.app – Ngrok domain used for data exfiltration pipeline.
  • [File name] – Manual_installer_Sora_OpenaiPro_v4.1.zip, setup_soraai_pro_v4.2.zip – Malicious installers masquerading as legitimate software.

Read more: https://cyble.com/blog/threat-actors_exploit_sora_ai-themed-branding-to-spread-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint