FacebookTwitterLinkedIn

Fake AI Video Generator Distributes Info Stealing Malware

Karolis Liucveikis Written by on

Cybersecurity researcher g0njxa recently discovered a cyberattack campaign leveraging fake AI video generators to infect machines with info-stealing malware. The attacker installed the Lumma and AMOS stealers on both Windows and macOS machines.

Lumma targets Windows machines, while AMOS targets macOS machines. Both are used to steal cryptocurrency wallets, cookies, credentials, passwords, credit cards, and browsing history from Google Chrome, Microsoft Edge, Mozilla Firefox, and other Chromium browsers.

Fake AI Video Generator Distributes Info Stealing Malware

Threat actors have created several fake websites masquerading as landing pages for AI video generators. The fake product is called EditPro. Further, threat actors have been advertising the malicious product on X, using deepfake political videos, such as President Biden and Trump enjoying ice cream together.

Rather than using X's advertisement service, posts are shared by blue tick bot accounts to give the fake product more legitimacy.

Once X users click through the post, they are redirected to one of the fake websites for EditPro. The domain editproai[.]pro was created to push Lumma, the Windows malware, while editproai[.]org to push AMOS, the macOS malware.

It is important to note that the sites are professional-looking and even contain the ubiquitous cookie banner, making them look and feel legitimate.

An executable is downloaded if the end-user clicks the "Get Now" button. For Windows users, the file is called "Edit-ProAI-Setup-newest_release.exe," and for macOS, it is named "EditProAi_v.4.36.dmg."

As a security measure, packages distributed as software need to have a signed digital certificate from a reputable issuer. The Windows package does have such a signature, but it appears to have been stolen from Softwareok.com, a freeware utility developer.

If you have downloaded EditPro recently, you are strongly advised to reset all your passwords, as they can be considered compromised. You should also enable multifactor authentication at all sensitive sites, such as cryptocurrency exchanges, online banking, email, and financial services.

Lumma and Amos

As mentioned above, Lumma is an info stealer that targets explicitly Windows machines. The malware is written in C and precisely tailored to steal data from an infected machine. Malware is offered as a malware-as-a-service and has become increasingly popular amongst cybercriminals underground.

The latest malware version can steal cryptocurrency wallets, web browser information, email credentials, financial data, sensitive files within user directories, personal data, and FTP client data. The malware employs sophisticated event-controlled write operations and encryption techniques to help evade detection.

AMOS, or Atomic macOS Stealer, is also offered as Malware-as-a-Service. The malware is sold via Telegram and, at the time of writing, costs a threat actor approximately 3000 USD per month. The info stealer can exfiltrate keychain passwords, user documents, system information, cookies, browser data, credit card information, cryptocurrency wallets, and other sensitive information.

As this publication has noted, threat actors have been using stealers extensively lately, especially to gain initial access to a machine and drop other malware payloads further down the infection chain. What is driving this surge in popularity?

It is difficult to say for certainty that there is one driving factor; however, security researchers have noted several possible factors that add fuel to this fire.

Flashpoint noted,

The simplicity of coding stealer malware makes it easy for threat actors to obtain malicious source code, as long as they know where to look. However, they need not to look far as commonly used sites like GitHub have numerous strains that are freely available. Additionally, prominent stealers are frequently compromised by competing threat actors who then create and sell clones or forked versions. An example being the creation of the popular “Vidar” strain which was a copycat of “Arkei.” Consequently, Vidar’s leak led to the creation of “Mars” and “Oski” which are both currently considered to be defunct.

Other factors, like low overhead costs for some of these stealers and improved functionality, like offloading server maintenance costs when using services that don't vet clients, can further reduce overheads. When these factors are combined with the potential upsides in terms of financial gain, a better picture of why these have recently increased in popularity begins to emerge.

The financial upsides include,

Logs are sold through various avenues and malicious actors often pull the specific data they are interested in, such as bank credentials and sell the rest on illicit marketplaces such as Russian Market and 2easy. Different types of logs are listed for sale on illegal bot shops and can be found based on search criteria depending on the buyer’s interests…Threat actors may also set up their own feed or service, with some threat actors leveraging Telegram bots to manage their operations. Flashpoint has seen many threat actors set up subscription services to provide a continuous feed of fresh logs to customers.

Perhaps more traditionally, the compromised credentials and session cookies found within logs can be further exploited to gain unauthorized access to accounts or to drain or steal funds from credit cards and crypto wallets. As a result of this financial flexibility, the threat actor community considers stealer data to be of high value.

We have seen stealers be used as initial access vectors for ransomware campaigns; stolen credentials have been used to breach corporate networks to facilitate data theft; and credentials have been used to alter or amend network routing configurations that ultimately cause chaos.

When these factors are considered, namely the abilities to be easily monetized, used as an access vector, and easy to develop comparatively, it is little wonder their popularity has surged.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog