Report 4363

Associated Incidents

Incident 8655 Report
Fake AI 'Nudify' Sites Reportedly Linked to Malware Distribution by Russian Hacker Collective FIN7

Loading...
FIN7 Gang Hides Malware in AI “Deepnude” Sites
infosecurity-magazine.com · 2024

An infamous financially motivated threat group is luring victims to a network of malware-baited sites, promising downloads of deepfake tools, according to a new report from Silent Push.

The security vendor claimed that the Russia-based FIN7, which has been linked to multiple ransomware groups, is hosting the malicious sites on multiple domains under the aiNude[.]ai “brand.”

They’re designed to attract internet users looking to leverage deepfake “deepnude” tools to generate nude images from photos of individuals they upload.

FIN7 created two versions of these so-called “honeypot” websites: one offering free downloads of a ‘Deepnude Generator’ tool and the other offering a free trial.

Clicking on the “free download” offer will redirect the victim to a new domain featuring a Dropbox link or another source hosting a malicious payload, although it’s unclear from the report exactly what this is.

If a victim clicks on “free trial,” they’ll be prompted to upload an image.

“If an image is uploaded, the user is next prompted with a ‘Trial is ready for download’ message saying, ‘Access scientific materials for personal use only.’​ A corresponding pop-up requires the user to answer the question, ‘The link is for personal use only, do you agree?,’” Silent Push explained.

“If the user agrees and clicks ‘Download’ they are served a zip file with a malicious payload. This other FIN7 payload is a more classic Lumma Stealer and uses a DLL side-loading technique for execution.”

The vendor has also observed FIN7 deploying the Redline Stealer malware and D3F@ck malware-as-a-service loader via this campaign.

It’s believed that the group uses SEO tactics to get its AI deepnude sites ranked at the top of search listings.

Silent Push also revealed a second campaign run by FIN7, designed to covertly serve up NetSupport RAT malware through lookalike sites which require visitors to install a browser extension. The threat actors lure victims to the sites – which spoof well-known brands such as SAP Concur, Microsoft and Thomson Reuters – via malvertising.

Read the Source