The fake AI-operated video generation tool is being used to distribute a new information-dilemma family called ‘Noodlofile’ under the guise of media content generated.
Websites use seductive names such as the “Dream Machine” and are advertised on high-visual groups on Facebook, presenting as advanced AI tools that generate videos based on uploaded user files.
Although the use of AI tools for giving malware is not a new concept and it is adopted by experienced cyber criminal, discovery of the latest campaign By morphishek The mixture introduces a new infostealer.
According to Morpheishe, Noodlofile is being sold on the dark web forum, which is often bundled with “cookie + pass” services, so it is a new Malware-A-Sarvis Operation that is associated with Vietnamese-speaking operators.
Source: Morphishek
Multi-step transition chain
Once the victim goes to the malicious website and uploads his files, they receive a zip collection that involves AI-related video.
Instead, the zip consists of an misleading folder with a misleading (video Dream Machineai.mp4.exe), and a hidden folder with various files required for later stages. If a Windows user has a file extension (never do this), then in a quick look, the MP4 will look like a video file.
“File video Dream Machineai.mp4.exe is a 32-bit C ++ application signed using a certificate made through WINAUTH,” explains Morpheisek.
“Despite its misleading name (suggesting a .MP4 video), this binary is actually a renovated version of Capcut, a legitimate video editing tool (version 445.0).
.jpg)
Source: Morphishek
By double-clicking on fake MP4, a series will be executed in execution that eventually launchs a batch script (Document.docx/Install.bat).
The script uses a base 64-Encoded Password-protected RAR collection as the script PDF document. The script uses a valid Windows Tool ‘Certificate.XE’. At the same time, it also adds a new registry key to perseverance.
Subsequently, the script executes the ‘srchost.exe’, which runs an objected python script (Randomuser2025.txt) from a hardcoded remote server address, eventually executing nudalophile steeler in the memory.
If Avast is detected on the agreement system, pelowing is used to inject the payload into regasm.exe. Otherwise, shellcode injections are used for in-memory execution.
Source: Morphishek
Noodlophile is a new information stealing malware that targets data stored on web browsers such as account credentials, sessions cookies, tokens and cryptocurrency wallet files.
“Noodlofile steeler represents a new addition to the steeler malware ecosystem. First in public malware trackers or report, this steeler browser credential theft, wallet exfIs and optional remote access to the deployment,” Morphis researchers.
The stolen data is exfilled through a telegram bot, which acts as a secret command and control (C2) server, which provides real -time use to the attackers.
In some cases, the noodlophile is bundled with Xworm, a remote access trojan, raising the abilities of data theft to the attackers that move well beyond the convenient passively stolen by the information-level.
The best way to protect against malware is to avoid downloading and executing files from unknown websites.
Always verify the file extension before opening, and scan all the downloaded files on an up-to-date AV tool before executing.
Based on the analysis of 14M malicious tasks, search for the top 10 MITERAT & CK techniques behind the 93% attacks and how to defend them against them.
