Exploiting Fraudulent AI Tools to Deploy Noodlophile Malware, Affecting Over 62,000 Victims Through Facebook Lures

Threat actors are increasingly exploiting the allure of artificial intelligence (AI) by offering counterfeit AI-powered tools to entice users into downloading malware known as Noodlophile.

Rather than relying on traditional phishing methods or cracked software sites, these groups create convincing AI-themed platforms, often promoted through seemingly legitimate Facebook groups and viral social media outreach. Researchers at Morphisec, including expert Shmuel Uzan, have observed that posts made in these groups can garner over 62,000 views, targeting users who are specifically searching for AI tools for video and image editing. Identified fake social media pages include Luma Dreammachine AI and gratistuslibros.

Upon accessing these deceptive posts, users are encouraged to click links that advertise a range of AI-powered content creation services, such as videos, logos, images, and websites. One such fraudulent website masquerades as CapCut AI, promoting itself as an “all-in-one video editor with new AI features.”

Once users upload their image or video prompts on these sites, they are prompted to download the purported AI-generated content; however, this leads to the download of a malicious ZIP archive named “VideoDreamAI.zip.” Within this file resides a deceptive executable titled “Video Dream MachineAI.mp4.exe,” which initiates the infection chain by executing a legitimate binary linked to ByteDance’s video editor, known as CapCut.exe. This C++-based executable operates a .NET-based loader named CapCutLoader, which subsequently loads a Python payload (“srchost.exe”) from a remote server.

The Python binary facilitates the deployment of the Noodlophile Stealer, designed to extract sensitive information such as browser credentials, cryptocurrency wallet details, and other valuable data. Instances of this malware have also been observed in conjunction with a remote access trojan, XWorm, which provides persistent access to compromised systems.

The individual behind Noodlophile is believed to originate from Vietnam, with claims on their GitHub profile of being a “passionate Malware Developer.” Vietnam has developed a notable cybercrime ecosystem, previously associated with various malware targeting social media platforms, particularly Facebook.

The exploitation of public fascination with AI technologies for malicious purposes is a well-documented phenomenon. For instance, Meta has previously taken action against over 1,000 malicious URLs that leveraged OpenAI’s ChatGPT to disseminate about ten different malware families since March 2023.

Additionally, the cybersecurity company CYFIRMA has recently disclosed details about another .NET-based malware strain, codenamed PupkinStealer, which is capable of extracting a wide range of data from infected Windows systems and transmitting it to an attacker-controlled Telegram bot. This malware exemplifies a straightforward yet effective method of data theft, as it employs common system behaviors and widely utilized platforms for exfiltrating sensitive information, all while maintaining a low profile to evade detection.