In a concerning development for cybersecurity experts, the notorious hacking group FIN7 has launched a network of websites featuring fake AI-powered adult content generators. This sophisticated scheme, uncovered by Silent Push researchers, aims to infect visitors with data-stealing malware, highlighting the evolving tactics of cybercriminals in the digital age.
FIN7: A Decade of Cyber Threats
FIN7, also known as Sangria Tempest, Carbon Spider, and Carbanak, has been a persistent threat in the cybersecurity landscape since 2013. Initially focused on point-of-sale (PoS) attacks to steal payment data, the group has since expanded its operations to include large-scale corporate breaches and ransomware distribution. Their association with notorious ransomware groups like DarkSide, BlackMatter, and BlackCat underscores the severity of their activities.
From Phishing to Fake AI: FIN7’s Evolving Tactics
Traditionally, FIN7 specialized in complex phishing and social engineering attacks to gain initial access to corporate networks. A notable example of their ingenuity was impersonating BestBuy to distribute malicious USB drives to targeted victims. However, their latest campaign represents a significant shift in strategy, exploiting the growing interest in AI-generated content.
The AI Nude Deception
The group has created an intricate network of websites under the “AI Nude” brand, promising free deepnude generation services. These sites, promoted through black hat SEO techniques, claim to create explicit images from regular photos of clothed individuals. This tactic preys on curiosity and the current AI hype, luring unsuspecting users into a carefully crafted trap.
Anatomy of the Attack
When visitors attempt to use these fake AI services, they are directed through a series of deceptive steps:
1. Users upload an image for “processing”
2. The site claims to generate a deepnude but doesn’t display it
3. Visitors are prompted to download their “result” via a link
4. The link leads to a password-protected archive on Dropbox
5. Instead of AI-generated content, the archive contains the Lumma infostealer
The Malware Payload
Once executed, the Lumma infostealer harvests a wide range of sensitive data from the victim’s device, including:
- Stored credentials and cookies from web browsers
- Cryptocurrency wallet information
- Other valuable personal and financial data
Broader Implications and Additional Campaigns
The AI Nude campaign is just one facet of FIN7’s current operations. Researchers have also identified other malicious activities, including:
- Distribution of the Redline stealer and D3F@ck Loader through Windows software download sites
- Spreading NetSupport RAT via fake browser extension installation pages
- Disguising malware as products from popular brands like Canon, Zoom, Fortnite, and Razer Gaming
This multi-pronged approach demonstrates FIN7’s adaptability and the ongoing challenges faced by cybersecurity professionals. As AI and other emerging technologies continue to capture public attention, it’s crucial for users to remain vigilant and skeptical of too-good-to-be-true online offers. Organizations must also stay informed about these evolving threats and implement robust security measures to protect against sophisticated cyber attacks.
