CybleBlogs Latest 1200 × 600 px 4 1 1

Key Takeaways 

  • The cybercriminals have leveraged the Sora branding to create convincing phishing sites, demonstrating their strategic use of popular or anticipated technologies to deceive users 
  • The targeting of an unreleased Sora application suggests that cybercriminals are actively seeking out new and emerging technologies to exploit, even before they are officially available to the public. 
  • The campaigns show a high level of sophistication, with threat actors (TAs) employing multiple vectors, such as phishing sites and compromised social media accounts, to maximize their reach and effectiveness. 
  • By utilizing compromised social media accounts to promote fake platforms and distribute phishing links, the TAs increase the perceived legitimacy of their phishing schemes, making them more likely to succeed. 
  • The information-stealer malware used in these campaigns employs techniques that successfully evade detection by mainstream antivirus solutions, highlighting the need for advanced security measures. 

Overview 

After exfiltrating data, TAs deploy open-source mining software like XMRig and lolMiner, indicating a dual objective of both data theft and cryptocurrency mining to monetize their activities further. 

In February, OpenAI introduced Sora, an advanced AI model set to revolutionize content creation by producing realistic and imaginative scenes from textual descriptions. This groundbreaking technology promises to transform how users generate and visualize content, facilitating the realization of complex and creative ideas. As the tech community eagerly awaits Sora’s official release, the excitement has been accompanied by a surge in malicious activity.  

Despite Sora’s yet-to-be-launched status, cybercriminals have already targeted it, creating numerous phishing sites that impersonate official Sora platforms to trick users and distribute various forms of malware.  

After the announcement of Sora, Cyble Research and Intelligence Labs (CRIL) observed several phishing sites that mimic Sora and deploy different types of malware families. 

Below is the list of phishing sites: 

  • hxxps://sorics-ai[.]web.app 
  • hxxps://sora-6b494[.]web.app 
  • hxxps://sorics-ai.web[.]app 
  • hxxps://soraai-pro-kit[.]web.app 
  • hxxps://sora-openai-generation[.]com 
  • hxxps://openai-soravideo[.]com 
  • hxxps://opensora-ai.web[.]app 
  • hxxps://opensora[.]info 

Figure 1 – Phishing site impersonating Sora 

On July 22, 2024, we identified a phishing site, “openai-soravideo[.]com,” which was created on July 20, 2024. Shortly after its creation, on July 21, 2024, the threat actor began using a compromised social media account to promote Sora AI and distribute the phishing site, aiming to deliver malware. 

Figure 2 – Compromised social media page with high followers promoting Sora via a phishing site 

Figure 3 – Post on compromised social media page 

While investigating this compromised page, we discovered several other compromised social media pages with the name “Sora AI – Creating Video From Text.” These pages were distributing numerous phishing sites impersonating Sora and delivering malware. 

Figure 4 – Compromised pages distributing phishing sites 

On OpenAI’s community page, numerous users reported falling victim to this campaign by downloading malware. Many were directed to phishing sites through ads for Sora promoted by the threat actor, resulting in data compromise. We observed that few downloaded zip files had zero detections, and antivirus software failed to identify the malware when victims were infected. 

 
Figure 5 – Zip file downloaded from phishing site “sorics-ai.web[.]app” with zero detection 

Figure 6 – User posted about advertisement running phishing campaign on the Open AI community 

Figure 7 – Users’ comments related to the Sora phishing campaign (Source – OpenAI community) 

Campaign Analysis 

We have identified multiple campaigns leveraging Sora-themed phishing websites as a vector for malware distribution. Our initial analysis suggests that a single TA may not necessarily orchestrate these campaigns. However, a commonality across these campaigns is the use of phishing sites that lure victims into downloading files disguised as legitimate Sora software. When users attempt to install these seemingly authentic applications, the files trigger malicious processes that compromise the victim’s system. 

CRIL has identified a phishing website with the URL “hxxps[://]sora-openai-generation[.]com/,” which masquerades as a platform offering Sora AI services for converting video from text. The site is cleverly designed to deceive visitors into believing it provides legitimate services, encouraging them to click on a download button under the pretense of offering a free application. The sophistication of the disguise aims to lower users’ suspicions and increase the likelihood of them downloading the malicious software. The below figure shows the phishing Sora phishing site.  

Figure 8- Phishing Site 

After the victim clicks the download button, a zip file is downloaded containing an obfuscated batch script. This script runs several PowerShell commands to carry out malicious activities stealthily. Initially, it downloads another zip file from “hxxps[://]special-create-studio[.]com/studio.zip” and extracts its contents, including Python scripts, to the “C:/Users/Public/VIDEOHD” directory. It then executes a malicious Python file named “godady.py” from the extracted files, which serves as the primary malicious payload. The “godady.py” script employs multiple layers of compression, including zlib, bz2, gzip, and lzma, along with hexadecimal encoding to obscure its payload. The image below displays a code snippet of the malicious Python script. 

Figure 9 – Layered decompression and Python payload extraction 

The decompressed Python stealer, known as Braodo Stealer, targets six browsers—Chrome, Firefox, Edge, Opera, Brave, and Chromium—to extract sensitive information, including cookies, login credentials, web data, and local state. Once the data is collected, it is compressed into a ZIP archive and sent to two separate Telegram chat IDs via HTTP POST requests to the Telegram API. The image below illustrates how Telegram Bot IDs are used to transmit the stolen data. 

Figure 10 – Braodo Stealer targets multiple browsers 

In another campaign, we’ve observed TAs using the phishing website “hxxps://openai-soravideo[.]com.” This website prompts users to download a zip file containing an executable. The infection begins when the user clicks on the executable file. The figure below shows the malicious website. 

Figure 11 – Phishing site  

The downloaded file performs multiple tasks related to information stealing. The image below outlines the operations carried out by this stealer. 

Figure 12 – Core Functionality 

The stealer can capture a wide spectrum of information, from screenshots to sensitive data such as login credentials, cookies, and autofill data from various browsers, including Microsoft Edge, Google Chrome, CocCoc, Brave, Opera, and Firefox. 

Figure 13 – Targeted browsers 

 All the collected data from the targeted browsers is compressed into a zip file, which is named using the following format. 

  • <country id>_<botnet id>_<date time>.zip 

Figure 14 – Zip File Creation 

After creating the ZIP file, the stealer sends the data to the TA Telegram chat ID using the Telegram Bot API. 

Figure 15 – TAs Telegram Chat ID 

Another notable campaign we’ve uncovered involves impersonating Sora. When users download a zip file from the phishing website, it contains a PyInstaller executable named “setup-x86_64.exe.” Upon execution, this executable runs a Python script protected by PyArmor, an obfuscation tool designed to hide the script’s true functionality. The malicious Python script’s primary action is to download a .bat file from the URL “https://sealingshop.click/bat/loc” and save it to the location “C:UsersPublicmanifest.bat.” Once downloaded, the Python script proceeds to execute the .bat file. 

Figure 16 – Similar phishing website 

Notably, the de-obfuscated PyArmor file includes code that performs screen capturing, interacts with the system’s mouse and keyboard, and potentially transmits data over a network. The figure below shows the partially de-obfuscated Python code to monitor the mouse events from the victim’s machine. 

Figure 17 – Mouse Simulation Functionality 

The executed batch file downloads a Python setup and runs a malicious script named “document.py,” which is designed to collect sensitive information. This includes usernames, the victim’s IP address, and browser data such as cookies and login credentials from Chrome and Edge. Notably, the stealer is configured to exclude users from certain countries, preventing infection in those regions. 

The stealer sends all collected information in JSON format to a ngrok domain (hxxps://f34f-103-14-48-195.ngrok-free.app) via a POST request. Following data exfiltration, the stealer downloads and installs two open-source miners, XMRig and lolMiner, on the victim’s machine. 

Figure 18 – code snippet for downloading and executing miners 

Conclusion 

The Sora-themed campaigns highlight a concerning trend in cyber threats, showcasing the adaptation and creativity of TAs. By exploiting the anticipation surrounding OpenAI’s Sora, TAs have crafted sophisticated phishing sites and malware disguised as legitimate software. These campaigns use compromised social media accounts and deceptive tactics to distribute harmful payloads, including data stealers and cryptocurrency miners. The obfuscation methods employed, such as layered compression and disguised executables, illustrate the advanced techniques used to evade detection and maximize impact.  

Recommendations 

Here are some recommendations to mitigate and respond to malware campaigns exploiting the Sora theme: 

  • Educate users about phishing scams and the risks of downloading software from unverified sources. Emphasize the importance of verifying URLs and checking for signs of legitimacy before downloading or installing applications. 
  • Implement advanced threat detection solutions, including updated antivirus software and intrusion detection systems, to identify and block malicious activities.  
  • Actively monitor social media platforms for compromised accounts promoting malicious content. Quickly respond to and report suspicious activities to prevent further spread. 
  • Enforce MFA across all accounts and systems to add an extra layer of security and reduce the risk of unauthorized access. 
  • Regularly back up critical data and ensure that backups are stored securely. Test the restoration process to ensure data can be quickly recovered in case of a ransomware attack. 
  • Use web filtering solutions to block access to known malicious sites and prevent users from downloading harmful files. 

MITRE ATT&CK® Techniques 

Tactics  Techniques  Procedure 
Execution (TA0002 User Execution:  Malicious Link (T1204.001 execution begins when a user downloads a zip file from a phishing website 
Execution (TA0002 User Execution: Malicious File (T1204.002 The victim is required to execute the .bat or .exe from zip file 
Execution (TA0002 Command and Scripting Interpreter: PowerShell (T1059.001 Batch script uses PowerShell to execute commands 
Command and Control (TA0011 Ingress Tool Transfer (T1105 script downloads files from remote servers 
Command and Control (TA0011 Application Layer Protocol: Web Protocols (T1071.001 use of HTTPS for downloading files 
Defense Evasion (TA0005 Obfuscated Files or Information: Binary Padding (T1027.001 Null characters added in the exe 
Defense Evasion (TA0005 Obfuscated Files or Information: Command Obfuscation (T1027.010 Downloads base64 encoded python script 
Defense Evasion (TA0005 Masquerading: Match Legitimate Name or Location (T1036.005 Malicious files are disguised with names like “OpenAI” or “GoDaddy” to appear legitimate 
Collection (TA0009 Data from Local System (T1005 Exfiltrate data from browser database files 
Exfiltration (TA0010 Automated Exfiltration (T1020 Data is exfiltrated after collection 
Exfiltration (TA0010 Exfiltration Over Web Service (T1567 Telegram API and ngrok used for data exfiltration 

IOCs 

Indicators  Indicator Type  Description 
hxxps[://]sora-openai-generation[.]com/  URL  Phishing site 
f371955bb96fa9aeefc5a6f2b9140100821ac3ab9e04a229c2184e1ea2551392  SHA256  Manual_installer_Sora_OpenaiPro_v4.1.zip 
8a307a9c08b38946fd124de1ddccbdbbe706589580dabc078b7009689e209248  SHA256  setup_soraai_pro_v4.2.zip 
114d633c45a845dbef182462aab6ec03fa5d0cf3271e61272a7e37dd94ec9865  SHA256  Manual_installer_Sora_OpenaiPro_v4.1.bat 
f8ad660704b998733c33cab8caaff4304608aea29ec348bbecfb084875bd9c27  SHA256  setup_soraai_pro_v4.2.bat 
d7025e1ee86815374bc13d1bf6b5351205428b31a70048b1ea5c1308c3bf1a96 
8ef6934bd42de33ed4d9e40e9ed3ee8d980112be372fe5e5aac2290ee74590fb 
SHA256  VIDEOHD.zip 
29f34032457b4af0b806c502a4394bbf499a9c1af6dfe06b46d40121e76f9a27  SHA256  Run batch script 
3b792058454ea7824a5341905bd3d65aa58898c6fe26305bbc59c3801aba161b  SHA256  Setup-Createstudio.bat 
028004fadc270c7892303156fb9e9a3d8edb241b4d51cdb319bd275fbc7fe047  SHA256  Braodo Stealer 
hxxps[://]sorics-ai[.]web.app/  URL  Phishing site 
64ac9fd8a09929afa0e65130ff3d494296559190a0d16fdb87cb6ace282166b6  SHA256  setup-x86_64.zip 
6bfb47fd85a099b5bb6bbcbd559373659f7a12cd4bb9e493a9b5e9046026b6dc  SHA256  setup-x86_64.bat 
41a9c3bc563d03c73755e314c05d414886af587b9cdc1bb0339b86107443dbd1  SHA256  python39.zip 
c355806ac67ea8f79c984ef255b3b363607555100604e4f109fd1e0a9d518af4  SHA256  xmrig3.zip 
f3e46db62fe954be9c0403854722a04d07bb521114709e426f842fd74418619e  SHA256  lolMiner.zip 
hxxps[://]soraai-pro-kit[.]web[.]app/  URL  Phishing site 
831f0474c8048992edf1e19c46a6de1784aa86b17752a35e816bb128d8240091  SHA256  setup-x86_64.zip 
2c33b80b51c8ba0971117a60627a6920f557a99c8e4aa5a0382358a66fa25a52  SHA256  setup-x86_64.exe 
hxxps[://]openai-soravideo[.]com/  URL  Phishing site 
aab58fa552f5acfd3c7001b7ddb05cdb553d1f1d42733b0446052dad9c476e1c  SHA256  Open AI Sora 4.0 Version 4.56.zip 
898fa8ead5fcab0f0f64fbc57d8ca73bad4947352318dca75b359e677e71e931  SHA256  Open AI Sora 4.0 Version 4.56.exe 
hxxps[://]sora-6b494[.]web[.]app hxxps[://]sorics-ai[.]web[.]app hxxps[://]opensora-ai.web[.]app hxxps[://]opensora[.]info  URL  Phishing sites 
hxxps[://]special-create-studio[.]com/loki/fileavu hxxps[://]special-create-studio[.]com/run hxxps[://]special-create-studio[.]com/loki/soraavu[.]zip hxxps[://]special-create-studio[.]com/studio[.]zip hxxps[://]special-create-studio[.]com/run  URL  Malicious URL 
hxxps[://]sealingshop[.]click/pyen/adsteam  hxxps[://]sealingshop[.]click/bat/adsteam hxxps[://]sealingshop[.]click/config/stu hxxps[://]sealingshop[.]click/app/python39[.]zip hxxps[://]sealingshop[.]click/py/adsteam hxxps[://]sealingshop[.]click/host/adsteam hxxps[://]sealingshop[.]click/miner/c hxxps[://]sealingshop[.]click/miner/g  URL  Malicious URLs 
f34f-103-14-48-195[.]ngrok-free[.]app  Domain  ngrok domain 

The post Threat Actors Exploit Sora AI-themed Branding to Spread Malware appeared first on Cyble.