AI products that sound too good to be true might be malware in disguise

AI continues to be the biggest thing in tech, so it’s no wonder hackers want to take advantage of it in their attacks on unsuspecting victims. A few days ago, we learned of a clever campaign on social media platforms like TikTok, where hackers uploaded clips narrated by AI that convinced users to install malware on their computers. Those who fell for the attack thought the videos provided instructions on activating pirated software.

That’s not the only way attackers use AI’s popularity to trick users into installing malware on their devices. A pair of reports from Talos and Google’s Mandiant came out this week detailing the novel AI-based attacks.

Hackers are conning victims into downloading malware apps by promoting the programs as AI tools they might want to use for personal or business purposes.

I’ve often told people to try AI even if it seems scary, as chatting with tools like ChatGPT or Gemini will prepare them for the AI era of computing. Your job might one day depend on using AI. However, that doesn’t mean you should use AI products from shady sources or try to skirt the costs involved with access to premium features.

As with most other types of software, AI programs can’t be free. You shouldn’t be looking for deals from third-party providers that are too good to be true, as they might turn out to be hackers who can’t wait to infect your devices with malware-laden files.

Mandiant on Tuesday detailed a Vietnam-based group called UNC6032 that produced ads on social media like Facebook and LinkedIn promoting real AI video generator programs called Luma AI, Canva Dream Lab, and Kling AI, but pointing users to fake sites. Those sites then duped users into downloading malware disguised as the free AI videos they purportedly generated with their prompts.

Those who opened the files installed malware capable of stealing usernames and passwords, logging what they typed, and even hijacking their bank accounts.

Even if the PC restarts, the malware will continue to run, and hackers might have remote control over it, giving them additional attack capabilities.

On Thursday, Talos followed up with a report that describes three malware types disguised as premium AI products.

Users think they’re downloading an AI lead-generation product after obtaining a great deal: 12 months of free access to a product called NovaLeadsAI, and then $95/month after that. In reality, they have likely just downloaded CyberLock, one of three observed malicious programs.

As for the other two, Lucky_Gh0$t impersonates a “full version” of ChatGPT 4.0, while Numero masquerades as an AI video generator called InVideo.

The first two are ransomware. CyberLock will lock up your Windows machine and then ask for a $50,000 ransom in Monero cryptocurrency. Weirdly, the ransomware claims the money will fund humanitarian efforts in Palestine, Ukraine, and other places, which is definitely not true. It’s just another trick to convince victims, likely businesses, to pay up.

Lucky_Gh0$t encrypts any file smaller than 1.2GB and deletes anything bigger.

Numero is equally nefarious. It runs an app that rewrites Windows UI elements, making them unusable. For example, it can replace window titles or buttons with “1234567890,” making using the PC impossible.

It’s unclear how many people have been affected by these malware attacks that use the popularity of AI as an attack vector.

Mandiant’s investigation shows that UNC6032 might have reached more than two million users in Europe via Facebook ads. It’s unclear how many were then duped into downloading files. LinkedIn ads reached between 50,000 and 250,000 people.

Meta told The Register it removed the malicious ads, blocked the websites, and took down the accounts “many before they were shared with us.”

Again, you should not download any free AI apps from shady sources. If you’re unsure about something, best avoid it, no matter how good it sounds. Also, whether you’re new to AI or not, you can always use free products like ChatGPT or Gemini to do background checks on shady sites and the AI products they claim to offer.

While we’re at it, it’s a good idea to back up your data regularly so you won’t lose too much information if you’re hit with ransomware. As for passwords and banking data, you’d better use password managers for that, avoid recycling passwords, and change some of your logins from time to time.