Attackers have been abusing the popularity of AI image editing tools to trick users into installing applications that mimic legitimate tools that are loaded with malware.
The campaign uses hijacked Facebook accounts to push the applications on social media using paid advertising to spread the malware.
The attackers trick Facebook pages into surrendering their credentials with phishing messages that take users to fake account protection pages which then steal their password.
Facebook malvertising
Jaromir Horejsi, a threat researcher for Trend Micro who analyzed the campaign, said “We discovered a malvertising campaign involving a threat actor that steals social media pages, changing their names to make them seem connected to popular AI photo editors. The threat actor then creates malicious posts with links to fake websites made to resemble the actual website of the legitimate photo editor. To increase traffic, the perpetrator then boosts the malicious posts via paid ads” (via BleepingComputer).
The software package that the victims install is not the AI image editor, and is instead the Itarian remote desktop tool which then launches a downloader on the victims device that installs the Lumma Stealer malware. This malware covertly sniffs through the victims files in search of valuable data, such as cryptocurrency wallet files, credentials, password manager files, and browser data.
This data is then sold on the dark web, or used to take over other accounts using compromised credentials in order to promote more scams.
In response to the campaign, Horejsi provided some ways to stay safe from the campaign, stating, “Users should enable multi-factor authentication (MFA) on all social media accounts to add an extra layer of protection against unauthorized access. Organizations should educate their employees on the dangers of phishing attacks and how to recognize suspicious messages and links. Users should always verify the legitimacy of links, especially those asking for personal information or login credentials.”
