The infamous APT hacking group often called FIN7 has launched a community of faux AI-powered deepnude generator websites to contaminate guests with information-stealing malware.
FIN7 is believed to be a Russian hacking group that has been conducting monetary fraud and cybercrime since 2013, with ties to ransomware gangs, akin to DarkSide, BlackMatter, and BlackCat, who not too long ago carried out an exit rip-off after stealing a $20 million UnitedHealth ransom fee.
FIN7 is understood for its refined phishing and social engineering assaults, akin to impersonating BestBuy to ship malicious USB keys or making a pretend safety firm to rent pentesters and builders for ransomware assaults with out them understanding.
So it isn’t stunning to search out that they’ve now been linked to an intricate community of internet sites selling AI-powered deepnude turbines that declare to create pretend nude variations of images of clothed people.
The expertise has been controversial because of the hurt it could possibly trigger to the themes by creating non-consensual express photos, and it has even been outlawed in lots of locations on this planet. Nonetheless, the curiosity on this expertise stays robust.
A community of deepnude turbines
FIN7’s pretend deepnude websites function honeypots for folks all in favour of producing deepfake nudes of celebrities or different folks. In 2019, menace actors used an identical lure to unfold info-stealing malware even earlier than the AI explosion.
The community of deepnude turbines operates beneath the identical “AI Nude” model and is promoted by means of black hat search engine optimization techniques to rank the websites excessive in search outcomes.
Based on Silent Push, FIN7 immediately operated websites like “aiNude[.]ai”, “easynude[.]web site”, and nude-ai[.]professional,” which provided “free trials” or “free downloads,” however in actuality simply unfold malware.
All of the websites use an identical design that guarantees the power to generate free AI deepnude photos from any uploaded photograph.
Supply: Silent Push
The pretend web sites permit customers to add images that they want to create deepfake nudes. Nonetheless, after the alleged “deepnude” is made, it’s not displayed on the display screen. As a substitute, the consumer is prompted to click on a hyperlink to obtain the generated picture.
Doing so will deliver the consumer to a different web site that shows a password and a hyperlink for a password-protected archive hosted on Dropbox. Whereas this web site continues to be alive, the Dropbox hyperlink now not works.
Supply: BleepingComputer
Nonetheless, as an alternative of a deepnude picture, the archive archive incorporates the Lumma Stealer information-stealing malware. When executed, the malware will steal credentials and cookies saved in internet browsers, cryptocurrency wallets, and different information from the pc.
Silent Push additionally noticed some websites selling a deepnude era program for Home windows that may as an alternative deploy Redline Stealer and D3F@ck Loader, that are additionally used to steal info from compromised units.
All seven websites detected by Silent Push have since been taken down, however customers who might need downloaded information from them ought to think about themselves contaminated.
Different FIN7 campaigns
Silent Push additionally recognized parallel FIN7 campaigns dropping NetSupport RAT by means of web sites that immediate guests to put in a browser extension.
Supply: Silent Push
In different circumstances, FIN7 makes use of payloads that seem to spoof well-known manufacturers and purposes akin to Cannon, Zoom, Fortnite, Fortinet VPN, Razer Gaming, and PuTTY.
Supply: Silent Push
These payloads could also be distributed to victims utilizing search engine optimization techniques and malvertising, tricking them into downloading trojanized installers.
FIN7 was not too long ago uncovered for promoting its customized “AvNeutralizer” EDR killing instrument to different cybercriminals, concentrating on IT workers of automobile makers in phishing assaults, and deploying Cl0p ransomware in assaults towards organizations.
