Attackers have been abusing the popularity of AI-powered image editing tools to trick users into installing apps that mimic legitimate tools that are loaded with Malicious program.
The campaign uses hijacked Facebook accounts to promote the apps on social media using paid advertising to spread the malware.
Attackers trick Facebook pages into handing over their credentials with phishing messages that take users to fake account protection pages that then steal their password.
Malicious advertising on Facebook
Jaromir Horejsi, a threat researcher at Trend Micro who analyzed the campaign, said: “We discovered a malvertising campaign involving a threat actor stealing social media pages, changing their names to make them appear connected to popular AI photo editors. The threat actor then creates malicious posts with links to fake websites that look similar to the legitimate photo editor’s real website. To increase traffic, the perpetrator then promotes the malicious posts through paid ads” (via Computer beeping).
The software package that victims install is not the AI image editor, but the Itarian remote desktop tool, which then launches a downloader on the victim’s device that installs the Lumma Stealer malware. This malware covertly scans victims’ files for valuable data, such as cryptocurrency wallet files, credentials, etc. password manager files, and browser data.
This data is then sold on the dark web or used to take over other accounts using compromised credentials in order to promote further scams.
In response to the campaign, Horejsi offered some ways to stay safe from it, stating: “Users should enable multi-factor authentication (MFA) on all social media accounts to add an extra layer of protection against unauthorized access. Organizations should educate their employees about the dangers of phishing attacks and how to recognize suspicious messages and links. Users should always verify the legitimacy of links, especially those that ask for personal information or login credentials.”