A new family of malware that steals information, dubbed 'Noodlophile,' is being spread using fake AI-powered video generating tools that pose as generated media content.
The websites are promoted on Facebook groups with a high level of visibility and use catchy names like the "Dream Machine" to make themselves seem like sophisticated artificial intelligence tools that create videos from user files that are uploaded.
The latest effort by Morphisec adds a new infostealer to the mix, even though the idea of using AI tools to spread malware is not new and has been used by experienced hackers.
Morphisec claims that Noodlophile is a new malware-as-a-service enterprise associated with Vietnamese-speaking operators because it is being offered for sale on dark web forums, often in conjunction with "Get Cookie + Pass" services.
Once the victim visits the malicious website and submits their files, they are given a ZIP folder that is intended to include an artificial intelligence film. Instead, the ZIP includes a fraudulently called application (Video Dream MachineAI.mp4.exe) as well as a hidden folder containing numerous files required for following phases. If a Windows user disables file extensions (which should never be done), the file will appear to be an MP4 video file.
"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," notes Morphisec."Despite its misleading name (suggesting an .mp4 video), this binary is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This deceptive naming and certificate help it evade user suspicion and some security solutions.”
Double-clicking on the fraudulent MP4 will open a sequence of executables, culminating in the launch of a batch script (Document.docx/install.bat). The script uses the genuine Windows program 'certutil.exe' to decode and extract a base64-encoded password-protected RAR package masquerading as a PDF document. At the same time, it creates a new registry key for persistence.
Subsequently, the script runs'srchost.exe,' which executes an obfuscated Python script (randomuser2025.txt) retrieved from a hardcoded remote server address, ultimately executing the Noodlophile Stealer in memory. If Avast is found on the infected system, PE hollowing is employed to inject the payload into RegAsm.exe. Shellcode injection is used for in-memory execution.
The best defence against malware is to stay away from files downloaded and run from unidentified websites. Always check file extensions before opening them, and run an antivirus scan on any downloaded files before running them.