Not all AI image generators are what they claim to be
Sex sells, so they say, and a notorious Russian ransomware group is taking that phrase into the age of AI with a new campaign using purported apps to generate fake nude images.
Who or what is Fin7?
The Miter Att@ck threat adversary knowledge base describes Fin7 as a financially motivated threat group active since 2013. As of 2020, Fin7 has adopted a big game hunting approach to its operations, targeting organizations with ransomware and even offering a ransomware-as-a-service object. So it may come as something of a surprise to learn that these veterans of organized cybercrime have moved into the AI-generated porn business. Or it would be if it really was. In fact, Fin7 is just getting on with operations designed to capture victims, spread their malware, and earn financial rewards for their nefarious efforts.
The Fin7 gang has created a deep porn Honeypot
Newly published research by security researchers at Silent Push has revealed how the Fin7 crime group is hosting malicious DeepNude AI generators as part of a porn-related site honeypot. The report, FIN7 hosting honeypot domains with AI DeepNude malicious generators, found that the scam is being used on at least seven websites using at least two different fake image generators. These differ only in that one is a download-based malware distribution technique, the other a traceless process that is much more sophisticated, according to the researchers.
Fin7 is casting a wide net in these attacks, Silent Push’s threat analysis found, with individuals and industries intertwined. Organizations are at risk as they can become vulnerable if unsuspecting employees are tempted to download malicious files, which, the report says, “can directly compromise credentials via info thieves or be used for follow-up campaigns that deploy ransomware.” .
The use of honeypots in this campaign is interesting as it marks a departure from more conventional and relatively straightforward phishing baiting methodologies. In this context, a honeypot refers to “technical minefields that have carefully crafted lures used by bad actors to bait their unsuspecting victims,” the researchers said.
The most sophisticated attack methodology, compared to the previously mentioned click on a link and download, is the use of a free trial process. This uses the adult-themed nude image generator to lure the victim into accepting a free trial. If they follow this link, it will ask them to upload an image from which it can create fake nude porn. If the user uploads such an image, they are then prompted to download the results with a pop-up dialog stating that this is “for personal use only, do you agree?” If they do, then a download starts which comes as a malicious Zip file containing the password-stealing Lumma Stealer malware. This then uses a DLL sideloading technique for execution.
All sites detected by Silent Push are currently offline after the researchers supported escalation to the hosting companies to take them down. But don’t be fooled, “we believe that new sites that follow similar patterns are likely to emerge,” the researchers warned.