IntroductionZscaler ThreatLabz researchers recently uncovered AI-themed websites designed to spread malware. The threat actors behind these attacks are exploiting the popularity of AI tools like ChatGPT and Luma AI. These websites are utilizing platforms such as WordPress and are designed to poison search engine rankings and increase the probability of unsuspecting users landing on these webpages.If users interact with one of these AI-themed websites, JavaScript is used to trigger a redirection chain that ultimately delivers malware including Vidar, Lumma, and Legion Loader. In this blog post, we will provide an in-depth analysis of these malware campaigns.Key Takeaways Threat actors are using Black Hat SEO to poison search engine rankings for AI keywords to spread malware.The search engine results lead to malicious websites that use multiple layers of redirection to hide the final malware payloads. The threat actors perform browser fingerprinting (e.g., version, window resolution, cookies, user agent) before redirecting potential victims to malware.These campaigns have distributed malware like Vidar, Lumma, and Legion Loader (which in turn has deployed cryptocurrency-stealing extensions).In the cases we observed, the malware payloads are often packaged in large installer files to bypass sandboxes.Technical AnalysisOverviewThe attack starts when a victim lands on one of these AI-themed websites. These websites are optimized to rank highly in Google search results for trending AI-related topics through Black Hat SEO techniques. For instance, if a user searches for a query like “Luma AI blog,” the malicious page often appears as one of the top results, as shown in the figure below.Figure 1: Example Google search result for AI-based topics leading to malware.Once the victim clicks on the search result, a webpage similar to the following will appear:Figure 2: Example AI-themed website designed to lure victims into installing malware.Once the victim visits the page, malicious JavaScript is triggered, collecting browser data, encrypting it with XOR, and sending it to the attacker-controlled domain gettrunkhomuto[.]info. The threat actor’s server decrypts the data, verifies the information, and responds with a 302 redirect to an intermediate site. The intermediate site provides JavaScript that checks the victim’s public IP to determine the final destination, often redirecting to another webpage hosting malware payloads like Vidar Stealer, Lumma Stealer, or
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: