Emergence of Noodlophile Infostealer Malware from Deceptive AI Video Generation Tools

Fake AI-driven video generation platforms are being exploited to disseminate a new category of information-stealing malware, referred to as ‘Noodlophile,’ disguised as content generated by supposed artificial intelligence tools.

These malicious websites, presented with enticing names such as “Dream Machine,” are promoted in high-visibility social media groups, particularly on platforms like Facebook, where they masquerade as sophisticated AI applications that create videos based on user-uploaded files.

While the tactic of leveraging AI tools for malware dissemination is not novel, recent findings have revealed the emergence of Noodlophile as part of a targeted campaign. This malware is reportedly available on dark web forums and is frequently bundled with services that facilitate credential theft, indicating a sophisticated malware-as-a-service operation operated by Vietnamese-speaking cybercriminals.

Multi-Stage Infection Process

Upon visiting the malicious website and submitting files, the victim receives a ZIP archive that is supposedly housing an AI-generated video. However, this archive contains a misleadingly named executable file (Video Dream MachineAI.mp4.exe) along with a concealed folder holding files necessary for subsequent infection stages. If a Windows user has file extensions hidden, the executable may easily be mistaken for an MP4 video file.

The executable, identified as a 32-bit C++ application, is misleadingly named and takes form from a repurposed version of CapCut, a valid video editing tool. This deceptive labeling assists in evading detection mechanisms and enhances the likelihood of user execution.

Activating the fake MP4 file initiates a series of commands, leading to the execution of a batch script that leverages legitimate Windows tools to decode and retrieve a password-protected RAR archive disguised as a PDF document while simultaneously creating a new registry entry for persistence.

Subsequently, the script invokes ‘srchost.exe,’ executing an obfuscated Python script downloaded from a predetermined remote server address. Ultimately, the script loads the Noodlophile information stealer into memory.

If security solutions such as Avast are present on the infected system, the malware execution employs process hollowing to inject the payload into RegAsm.exe; otherwise, shellcode injection is utilized for in-memory execution.

Noodlophile stands out as an information stealer that captures sensitive data from web browsers, including credentials, session cookies, tokens, and files from cryptocurrency wallets. This malware introduces a new facet to the existing malware landscape. It combines elements of browser credential theft alongside the capability for wallet exfiltration and optional deployment of remote access capabilities.

The data compromised through Noodlophile is exfiltrated via a Telegram bot, effectively functioning as an innovative command and control (C2) server, allowing attackers real-time access to the stolen data. In certain instances, Noodlophile is bundled with XWorm, a remote access trojan, thereby enhancing the data theft abilities of the threat actors beyond mere passive information gathering.

To safeguard against such threats, users are advised to refrain from downloading and executing files obtained from untrusted sources. It is essential always to verify file extensions prior to opening and to utilize up-to-date antivirus solutions to scan all downloaded files.