Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Noodlophile. Show all posts
Noodlophile
AI Video Generator Deepfake Infostealer malware Noodlophile

Cybercriminals Employ Fake AI tools to Propagate the Infostealer Noodlophile

 

A new family of malware that steals information, dubbed 'Noodlophile,' is being spread using fake AI-powered video generating tools that pose as generated media content.

The websites are promoted on Facebook groups with a high level of visibility and use catchy names like the "Dream Machine" to make themselves seem like sophisticated artificial intelligence tools that create videos from user files that are uploaded. The latest effort by Morphisec adds a new infostealer to the mix, even though the idea of using AI tools to spread malware is not new and has been used by experienced hackers. 

Morphisec claims that Noodlophile is a new malware-as-a-service enterprise associated with Vietnamese-speaking operators because it is being offered for sale on dark web forums, often in conjunction with "Get Cookie + Pass" services. 

Once the victim visits the malicious website and submits their files, they are given a ZIP folder that is intended to include an artificial intelligence film. Instead, the ZIP includes a fraudulently called application (Video Dream MachineAI.mp4.exe) as well as a hidden folder containing numerous files required for following phases. If a Windows user disables file extensions (which should never be done), the file will appear to be an MP4 video file. 

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," notes Morphisec."Despite its misleading name (suggesting an .mp4 video), this binary is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This deceptive naming and certificate help it evade user suspicion and some security solutions.”

Double-clicking on the fraudulent MP4 will open a sequence of executables, culminating in the launch of a batch script (Document.docx/install.bat). The script uses the genuine Windows program 'certutil.exe' to decode and extract a base64-encoded password-protected RAR package masquerading as a PDF document. At the same time, it creates a new registry key for persistence.

Subsequently, the script runs'srchost.exe,' which executes an obfuscated Python script (randomuser2025.txt) retrieved from a hardcoded remote server address, ultimately executing the Noodlophile Stealer in memory. If Avast is found on the infected system, PE hollowing is employed to inject the payload into RegAsm.exe. Shellcode injection is used for in-memory execution. 

The best defence against malware is to stay away from files downloaded and run from unidentified websites. Always check file extensions before opening them, and run an antivirus scan on any downloaded files before running them.
Read more »
Trojan
AItools CapCut Cybersecurity Darkweb Infostealer malware Noodlophile phishing Ransomware RAT Spyware Telegrambot Trojan

New AI Video Tool Scam Delivers Noodlophile Malware to Steal Your Data

 

Cybercriminals are using fake AI-powered video generation tools to spread a newly discovered malware strain called ‘Noodlophile’, disguised as downloadable media content.

Fraudulent websites with names like "Dream Machine" are being promoted in high-visibility Facebook groups, pretending to be advanced AI tools that can generate videos from user-uploaded files. However, these platforms are actually fronts for distributing information-stealing malware.

While cybercriminals leveraging AI for malware distribution isn't new, Morphisec researchers have uncovered a fresh campaign that introduces this new infostealer. “Noodlophile” is currently being sold on dark web forums, frequently bundled with services like "Get Cookie + Pass," indicating it's part of a malware-as-a-service operation linked to Vietnamese-speaking threat actors.

Once a victim uploads their file to the fake site, they receive a ZIP archive that supposedly contains the generated video. Instead, the archive includes a misleading executable named "Video Dream MachineAI.mp4.exe" and a hidden folder housing essential files for subsequent malware stages. On systems with file extensions hidden, the file could appear to be a harmless video.

"The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth," explains Morphisec.

This executable is actually a modified version of CapCut, a legitimate video editing software (version 445.0), and the naming and certificate are used to deceive both users and antivirus software.

Once run, the file executes a sequence of commands that launch a batch script (Document.docx/install.bat). This script then uses the Windows tool 'certutil.exe' to decode and extract a base64-encoded, password-protected RAR file that mimics a PDF. It also adds a registry key to maintain persistence on the system.

The batch script then runs srchost.exe, which executes an obfuscated Python script (randomuser2025.txt) from a hardcoded remote server. This leads to the in-memory execution of the Noodlophile stealer.

If Avast antivirus is found on the system, the malware uses PE hollowing to inject its code into RegAsm.exe. If not, it resorts to shellcode injection.

"Noodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment," explains the Morphisec researchers.

The malware targets data like browser credentials, session cookies, tokens, and cryptocurrency wallets. Stolen information is sent through a Telegram bot, acting as a stealthy command and control (C2) channel. In some cases, Noodlophile is also packaged with XWorm, a remote access trojan (RAT), enabling more aggressive data theft.

How to Stay Safe:
  • Avoid downloading files from unverified websites.
  • Double-check file extensions—don’t trust names alone.
  • Always run downloads through a reliable, up-to-date antivirus tool before executing.


Read more »
Subscribe to: Posts (Atom)