An notorious financially motivated risk group is luring victims to a community of malware-baited websites, promising downloads of deepfake instruments, in line with a brand new report from Silent Push.
The safety vendor claimed that the Russia-based FIN7, which has been linked to a number of ransomware teams, is internet hosting the malicious websites on a number of domains below the aiNude[.]ai “model.”
They’re designed to draw web customers trying to leverage deepfake “deepnude” instruments to generate nude pictures from images of people they add.
FIN7 created two variations of those so-called “honeypot” web sites: one providing free downloads of a ‘Deepnude Generator’ software and the opposite providing a free trial.
Clicking on the “free obtain” provide will redirect the sufferer to a brand new area that includes a Dropbox hyperlink or one other supply internet hosting a malicious payload, though it’s unclear from the report precisely what that is.
Read more on deepfakes: FBI Warns of Surge in Deepfake Sextortion Attempts
If a sufferer clicks on “free trial,” they’ll be prompted to add a picture.
“If a picture is uploaded, the person is subsequent prompted with a ‘Trial is prepared for obtain’ message saying, ‘Entry scientific supplies for private use solely.’ A corresponding pop-up requires the person to reply the query, ‘The hyperlink is for private use solely, do you agree?,’” Silent Push defined.
“If the person agrees and clicks ‘Obtain’ they’re served a zipper file with a malicious payload. This different FIN7 payload is a extra traditional Lumma Stealer and makes use of a DLL side-loading method for execution.”
The seller has additionally noticed FIN7 deploying the Redline Stealer malware and D3F@ck malware-as-a-service loader by way of this marketing campaign.
It’s believed that the group makes use of web optimization ways to get its AI deepnude websites ranked on the high of search listings.
Silent Push additionally revealed a second marketing campaign run by FIN7, designed to covertly serve up NetSupport RAT malware by way of lookalike websites which require guests to put in a browser extension. The risk actors lure victims to the websites – which spoof well-known manufacturers equivalent to SAP Concur, Microsoft and Thomson Reuters – by way of malvertising.
