Threat Actors Exploit Sora AI-themed Branding to Spread Malware
Key Takeaways
- The cybercriminals have leveraged the Sora branding to create convincing phishing sites, demonstrating their strategic use of popular or anticipated technologies to deceive users
- The targeting of an unreleased Sora application suggests that cybercriminals are actively seeking out new and emerging technologies to exploit, even before they are officially available to the public.
- The campaigns show a high level of sophistication, with threat actors (TAs) employing multiple vectors, such as phishing sites and compromised social media accounts, to maximize their reach and effectiveness.
- By utilizing compromised social media accounts to promote fake platforms and distribute phishing links, the TAs increase the perceived legitimacy of their phishing schemes, making them more likely to succeed.
- The information-stealer malware used in these campaigns employs techniques that successfully evade detection by mainstream antivirus solutions, highlighting the need for advanced security measures.
Overview
After exfiltrating data, TAs deploy open-source mining software like XMRig and lolMiner, indicating a dual objective of both data theft and cryptocurrency mining to monetize their activities further.
In February, OpenAI introduced Sora, an advanced AI model set to revolutionize content creation by producing realistic and imaginative scenes from textual descriptions. This groundbreaking technology promises to transform how users generate and visualize content, facilitating the realization of complex and creative ideas. As the tech community eagerly awaits Sora’s official release, the excitement has been accompanied by a surge in malicious activity.
Despite Sora’s yet-to-be-launched status, cybercriminals have already targeted it, creating numerous phishing sites that impersonate official Sora platforms to trick users and distribute various forms of malware.
After the announcement of Sora, Cyble Research and Intelligence Labs (CRIL) observed several phishing sites that mimic Sora and deploy different types of malware families.
Below is the list of phishing sites:
- hxxps://sorics-ai[.]web.app
- hxxps://sora-6b494[.]web.app
- hxxps://sorics-ai.web[.]app
- hxxps://soraai-pro-kit[.]web.app
- hxxps://sora-openai-generation[.]com
- hxxps://openai-soravideo[.]com
- hxxps://opensora-ai.web[.]app
- hxxps://opensora[.]info
Figure 1 – Phishing site impersonating Sora
On July 22, 2024, we identified a phishing site, “openai-soravideo[.]com,” which was created on July 20, 2024. Shortly after its creation, on July 21, 2024, the threat actor began using a compromised social media account to promote Sora AI and distribute the phishing site, aiming to deliver malware.
Figure 2 – Compromised social media page with high followers promoting Sora via a phishing site
Figure 3 – Post on compromised social media page
While investigating this compromised page, we discovered several other compromised social media pages with the name “Sora AI – Creating Video From Text.” These pages were distributing numerous phishing sites impersonating Sora and delivering malware.
Figure 4 – Compromised pages distributing phishing sites
On OpenAI’s community page, numerous users reported falling victim to this campaign by downloading malware. Many were directed to phishing sites through ads for Sora promoted by the threat actor, resulting in data compromise. We observed that few downloaded zip files had zero detections, and antivirus software failed to identify the malware when victims were infected.
Figure 5 – Zip file downloaded from phishing site “sorics-ai.web[.]app” with zero detection
Figure 6 – User posted about advertisement running phishing campaign on the Open AI community
Figure 7 – Users’ comments related to the Sora phishing campaign (Source – OpenAI community)
Campaign Analysis
We have identified multiple campaigns leveraging Sora-themed phishing websites as a vector for malware distribution. Our initial analysis suggests that a single TA may not necessarily orchestrate these campaigns. However, a commonality across these campaigns is the use of phishing sites that lure victims into downloading files disguised as legitimate Sora software. When users attempt to install these seemingly authentic applications, the files trigger malicious processes that compromise the victim’s system.
CRIL has identified a phishing website with the URL “hxxps[://]sora-openai-generation[.]com/,” which masquerades as a platform offering Sora AI services for converting video from text. The site is cleverly designed to deceive visitors into believing it provides legitimate services, encouraging them to click on a download button under the pretense of offering a free application. The sophistication of the disguise aims to lower users’ suspicions and increase the likelihood of them downloading the malicious software. The below figure shows the phishing Sora phishing site.
Figure 8- Phishing Site
After the victim clicks the download button, a zip file is downloaded containing an obfuscated batch script. This script runs several PowerShell commands to carry out malicious activities stealthily. Initially, it downloads another zip file from “hxxps[://]special-create-studio[.]com/studio.zip” and extracts its contents, including Python scripts, to the “C:/Users/Public/VIDEOHD” directory. It then executes a malicious Python file named “godady.py” from the extracted files, which serves as the primary malicious payload. The “godady.py” script employs multiple layers of compression, including zlib, bz2, gzip, and lzma, along with hexadecimal encoding to obscure its payload. The image below displays a code snippet of the malicious Python script.
Figure 9 – Layered decompression and Python payload extraction
The decompressed Python stealer, known as Braodo Stealer, targets six browsers—Chrome, Firefox, Edge, Opera, Brave, and Chromium—to extract sensitive information, including cookies, login credentials, web data, and local state. Once the data is collected, it is compressed into a ZIP archive and sent to two separate Telegram chat IDs via HTTP POST requests to the Telegram API. The image below illustrates how Telegram Bot IDs are used to transmit the stolen data.
Figure 10 – Braodo Stealer targets multiple browsers
In another campaign, we’ve observed TAs using the phishing website “hxxps://openai-soravideo[.]com.” This website prompts users to download a zip file containing an executable. The infection begins when the user clicks on the executable file. The figure below shows the malicious website.
Figure 11 – Phishing site
The downloaded file performs multiple tasks related to information stealing. The image below outlines the operations carried out by this stealer.
Figure 12 – Core Functionality
The stealer can capture a wide spectrum of information, from screenshots to sensitive data such as login credentials, cookies, and autofill data from various browsers, including Microsoft Edge, Google Chrome, CocCoc, Brave, Opera, and Firefox.
Figure 13 – Targeted browsers
All the collected data from the targeted browsers is compressed into a zip file, which is named using the following format.
- <country id>_<botnet id>_<date time>.zip
Figure 14 – Zip File Creation
After creating the ZIP file, the stealer sends the data to the TA Telegram chat ID using the Telegram Bot API.
Figure 15 – TAs Telegram Chat ID
Another notable campaign we’ve uncovered involves impersonating Sora. When users download a zip file from the phishing website, it contains a PyInstaller executable named “setup-x86_64.exe.” Upon execution, this executable runs a Python script protected by PyArmor, an obfuscation tool designed to hide the script’s true functionality. The malicious Python script’s primary action is to download a .bat file from the URL “https://sealingshop.click/bat/loc” and save it to the location “C:UsersPublicmanifest.bat.” Once downloaded, the Python script proceeds to execute the .bat file.
Figure 16 – Similar phishing website
Notably, the de-obfuscated PyArmor file includes code that performs screen capturing, interacts with the system’s mouse and keyboard, and potentially transmits data over a network. The figure below shows the partially de-obfuscated Python code to monitor the mouse events from the victim’s machine.
Figure 17 – Mouse Simulation Functionality
The executed batch file downloads a Python setup and runs a malicious script named “document.py,” which is designed to collect sensitive information. This includes usernames, the victim’s IP address, and browser data such as cookies and login credentials from Chrome and Edge. Notably, the stealer is configured to exclude users from certain countries, preventing infection in those regions.
The stealer sends all collected information in JSON format to a ngrok domain (hxxps://f34f-103-14-48-195.ngrok-free.app) via a POST request. Following data exfiltration, the stealer downloads and installs two open-source miners, XMRig and lolMiner, on the victim’s machine.
Figure 18 – code snippet for downloading and executing miners
Conclusion
The Sora-themed campaigns highlight a concerning trend in cyber threats, showcasing the adaptation and creativity of TAs. By exploiting the anticipation surrounding OpenAI’s Sora, TAs have crafted sophisticated phishing sites and malware disguised as legitimate software. These campaigns use compromised social media accounts and deceptive tactics to distribute harmful payloads, including data stealers and cryptocurrency miners. The obfuscation methods employed, such as layered compression and disguised executables, illustrate the advanced techniques used to evade detection and maximize impact.
Recommendations
Here are some recommendations to mitigate and respond to malware campaigns exploiting the Sora theme:
- Educate users about phishing scams and the risks of downloading software from unverified sources. Emphasize the importance of verifying URLs and checking for signs of legitimacy before downloading or installing applications.
- Implement advanced threat detection solutions, including updated antivirus software and intrusion detection systems, to identify and block malicious activities.
- Actively monitor social media platforms for compromised accounts promoting malicious content. Quickly respond to and report suspicious activities to prevent further spread.
- Enforce MFA across all accounts and systems to add an extra layer of security and reduce the risk of unauthorized access.
- Regularly back up critical data and ensure that backups are stored securely. Test the restoration process to ensure data can be quickly recovered in case of a ransomware attack.
- Use web filtering solutions to block access to known malicious sites and prevent users from downloading harmful files.
MITRE ATT&CK® Techniques
Tactics | Techniques | Procedure |
Execution (TA0002) | User Execution: Malicious Link (T1204.001) | execution begins when a user downloads a zip file from a phishing website |
Execution (TA0002) | User Execution: Malicious File (T1204.002) | The victim is required to execute the .bat or .exe from zip file |
Execution (TA0002) | Command and Scripting Interpreter: PowerShell (T1059.001) | Batch script uses PowerShell to execute commands |
Command and Control (TA0011) | Ingress Tool Transfer (T1105) | script downloads files from remote servers |
Command and Control (TA0011) | Application Layer Protocol: Web Protocols (T1071.001) | use of HTTPS for downloading files |
Defense Evasion (TA0005) | Obfuscated Files or Information: Binary Padding (T1027.001) | Null characters added in the exe |
Defense Evasion (TA0005) | Obfuscated Files or Information: Command Obfuscation (T1027.010) | Downloads base64 encoded python script |
Defense Evasion (TA0005) | Masquerading: Match Legitimate Name or Location (T1036.005) | Malicious files are disguised with names like “OpenAI” or “GoDaddy” to appear legitimate |
Collection (TA0009) | Data from Local System (T1005) | Exfiltrate data from browser database files |
Exfiltration (TA0010) | Automated Exfiltration (T1020) | Data is exfiltrated after collection |
Exfiltration (TA0010) | Exfiltration Over Web Service (T1567) | Telegram API and ngrok used for data exfiltration |
IOCs
Indicators | Indicator Type | Description |
hxxps[://]sora-openai-generation[.]com/ | URL | Phishing site |
f371955bb96fa9aeefc5a6f2b9140100821ac3ab9e04a229c2184e1ea2551392 | SHA256 | Manual_installer_Sora_OpenaiPro_v4.1.zip |
8a307a9c08b38946fd124de1ddccbdbbe706589580dabc078b7009689e209248 | SHA256 | setup_soraai_pro_v4.2.zip |
114d633c45a845dbef182462aab6ec03fa5d0cf3271e61272a7e37dd94ec9865 | SHA256 | Manual_installer_Sora_OpenaiPro_v4.1.bat |
f8ad660704b998733c33cab8caaff4304608aea29ec348bbecfb084875bd9c27 | SHA256 | setup_soraai_pro_v4.2.bat |
d7025e1ee86815374bc13d1bf6b5351205428b31a70048b1ea5c1308c3bf1a96 8ef6934bd42de33ed4d9e40e9ed3ee8d980112be372fe5e5aac2290ee74590fb |
SHA256 | VIDEOHD.zip |
29f34032457b4af0b806c502a4394bbf499a9c1af6dfe06b46d40121e76f9a27 | SHA256 | Run batch script |
3b792058454ea7824a5341905bd3d65aa58898c6fe26305bbc59c3801aba161b | SHA256 | Setup-Createstudio.bat |
028004fadc270c7892303156fb9e9a3d8edb241b4d51cdb319bd275fbc7fe047 | SHA256 | Braodo Stealer |
hxxps[://]sorics-ai[.]web.app/ | URL | Phishing site |
64ac9fd8a09929afa0e65130ff3d494296559190a0d16fdb87cb6ace282166b6 | SHA256 | setup-x86_64.zip |
6bfb47fd85a099b5bb6bbcbd559373659f7a12cd4bb9e493a9b5e9046026b6dc | SHA256 | setup-x86_64.bat |
41a9c3bc563d03c73755e314c05d414886af587b9cdc1bb0339b86107443dbd1 | SHA256 | python39.zip |
c355806ac67ea8f79c984ef255b3b363607555100604e4f109fd1e0a9d518af4 | SHA256 | xmrig3.zip |
f3e46db62fe954be9c0403854722a04d07bb521114709e426f842fd74418619e | SHA256 | lolMiner.zip |
hxxps[://]soraai-pro-kit[.]web[.]app/ | URL | Phishing site |
831f0474c8048992edf1e19c46a6de1784aa86b17752a35e816bb128d8240091 | SHA256 | setup-x86_64.zip |
2c33b80b51c8ba0971117a60627a6920f557a99c8e4aa5a0382358a66fa25a52 | SHA256 | setup-x86_64.exe |
hxxps[://]openai-soravideo[.]com/ | URL | Phishing site |
aab58fa552f5acfd3c7001b7ddb05cdb553d1f1d42733b0446052dad9c476e1c | SHA256 | Open AI Sora 4.0 Version 4.56.zip |
898fa8ead5fcab0f0f64fbc57d8ca73bad4947352318dca75b359e677e71e931 | SHA256 | Open AI Sora 4.0 Version 4.56.exe |
hxxps[://]sora-6b494[.]web[.]app hxxps[://]sorics-ai[.]web[.]app hxxps[://]opensora-ai.web[.]app hxxps[://]opensora[.]info | URL | Phishing sites |
hxxps[://]special-create-studio[.]com/loki/fileavu hxxps[://]special-create-studio[.]com/run hxxps[://]special-create-studio[.]com/loki/soraavu[.]zip hxxps[://]special-create-studio[.]com/studio[.]zip hxxps[://]special-create-studio[.]com/run | URL | Malicious URL |
hxxps[://]sealingshop[.]click/pyen/adsteam hxxps[://]sealingshop[.]click/bat/adsteam hxxps[://]sealingshop[.]click/config/stu hxxps[://]sealingshop[.]click/app/python39[.]zip hxxps[://]sealingshop[.]click/py/adsteam hxxps[://]sealingshop[.]click/host/adsteam hxxps[://]sealingshop[.]click/miner/c hxxps[://]sealingshop[.]click/miner/g | URL | Malicious URLs |
f34f-103-14-48-195[.]ngrok-free[.]app | Domain | ngrok domain |
The post Threat Actors Exploit Sora AI-themed Branding to Spread Malware appeared first on Cyble.
React to this headline: