The Rise of Fake AI Installers: A New Threat Landscape

The Alarming Trend of Fake AI Tools

As artificial intelligence (AI) continues to permeate various sectors, from business to marketing, a troubling trend has emerged: the proliferation of fake AI installers. These malicious tools often masquerade as popular applications like OpenAI’s ChatGPT and InVideo AI, luring unsuspecting users into a web of threats. Recently reported by Cisco Talos, these threats include ransomware families such as CyberLock and Lucky_Gh0$t, along with a new type of malware called Numero. The risk is considerable, particularly for individuals and organizations within the fast-paced world of B2B sales and marketing.

The Mechanics of CyberLock Ransomware

CyberLock ransomware, developed using the scripting language PowerShell, primarily targets certain file types on a victim’s computer. According to Cisco Talos researcher Chetan Raghuprasad, this ransomware encrypts specific files stored in standard partitions (C:\, D:\, and E:) before demanding a staggering ransom of $50,000 in Monero. The ransom note even goes as far as to claim that the funds will be used to support humanitarian causes, preying on the emotions of its victims.

Analysis of Lucky_Gh0$t Ransomware

In a similar vein, Lucky_Gh0$t is yet another variant of the Yashma ransomware and has its own unique features. Initially appearing as a premium version of ChatGPT, this fake installer contains additional malicious files that execute ransomware payloads. This variant specifically targets smaller files, encrypting any under 1.2GB in size while eliminating recovery options by deleting volume shadow copies and backups.

Numero: A New Player in Destructive Malware

Numero stands out due to its destructive functionalities, which manipulate the graphical user interface (GUI) of Windows systems to render them practically unusable. When users download the fake installer, they unwittingly initiate a chain of events that results in their desktop environment being overwritten with a numeric string. This not only disrupts their workflow but also makes any recovery efforts exceedingly difficult.

Deceptive Marketing Tactics

Threat actors are increasingly using search engine optimization (SEO) techniques to promote their fake AI tools. For example, the website novaleadsai[.]com masquerades as a legitimate lead monetization platform, enticing users with claims of free access. The downloadable ZIP archive is far from harmless; it contains a loader that initiates the CyberLock ransomware. Such tactics showcase the advanced strategies that cybercriminals employ to prey on unsuspecting users.

The Ransom Demands and Manipulation

The ransom notes generated by ransomware attacks often aim to manipulate victims emotionally. CyberLock’s ransom note, in particular, attempts to validate its demands by linking the monetary payment to various humanitarian crises. This psychological manipulation can be particularly distressing for victims, raising questions about the ethics of such cyber crimes.

Countermeasures: What Users Can Do

Given the growing prevalence of these fake AI tools, it’s crucial for users to remain vigilant. One of the best lines of defense against these threats is to ensure that any software being downloaded comes from reputable, verified sources. Additionally, employing robust cybersecurity measures, including firewalls and anti-malware software, can provide an extra layer of protection.

Mandiant’s Findings on Malvertising Campaigns

An alarming report by Google-owned Mandiant has shed light on another facet of this issue: malvertising campaigns that utilize social media platforms like Facebook and LinkedIn to lure users to fake AI tools. The consequences of falling for such traps are dire, as these campaigns often use Rust-based payloads to drop multiple types of malware onto the victim’s machine.

Multilayered Malware Attacks

The payload delivered via these fake installers often includes a combination of various malware families like GRIMPULL, FROSTRIFT, and XWorm. Each is designed for a specific function, from information theft to remote access, showcasing the tactical coordination of cybercriminals. This layered approach allows them to increase the likelihood of successful attacks, making it more essential for users to remain informed and cautious.

Monitoring Emerging Threats

As technology continues to evolve, so do the methodologies employed by cybercriminals. The rise of AI tools has not only created new avenues for legitimate use but also opened doors for malicious exploitation. Continuous monitoring of emerging threats, combined with user awareness, can go a long way in combating these nefarious activities.

In this precarious landscape, maintaining cybersecurity awareness is no longer optional—it is essential. The next AI tool you consider downloading could conceal potential threats, making it imperative to exercise caution with every click.