Malware campaign lures victims with free AI video editor
Criminals have launched a campaign on social media for a free AI video editor. Instead, however, there were infostealers.
Video clips are used to trick victims into running malware.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Cyber criminals promised nothing less than a free, AI-based video editor in a campaign on social media. However, anyone who fell for the offer installed an info stealer malware.
(Image: Screenshot: Malwarebytes)
The IT security researchers at Malwarebytes write in their analysis that instead of the hoped-for video editor with AI functions, the Lumma Stealer ended up on Windows PCs and the Atomic Stealer on Mac computers. The campaign to advertise the malware ran on various social media, such as Facebook, YouTube and X.
Malware campaign is a long runner
The campaign has been running since at least the beginning of September, but is currently still active. The perpetrators have created numerous accounts to advertise their "product". Malwarebytes lists many handles such as @ProAIEdit, @EditProAI, @EdittProAI, @EditPr0AI and others with the clear name "EditProAI". Other accounts appear to have been compromised and misused for advertising.
Videos by heise
It appears to be a well-organized campaign. It looks legitimate, so it was only discovered very late, explains Malwarebytes.
(Image: Screenshot / dmk)
The website is even available in several languages, including German and English. A displayed changelog is intended to reinforce the serious appearance. However, when attempting to download the malware, interested parties are apparently only helped to crack captchas – which are displayed before the supposed download –; the malware is not downloaded. However, this may also be due to a geo-IP restriction.
The virus analysts from Malwarebytes found the files "Edit-ProAI-Setup-newest_release.exe" under Windows and "EditProAi_v.4.36.dmg" under macOS. The files contain Lumma Stealer for Windows, a malware-as-a-service offering that steals information from crypto wallets and browser extensions as well as two-factor authentication information, and Atomic Stealer for macOS. The latter makes money for its operators by searching for credit card information, authentication cookies, passwords and cryptocurrencies on the infected computer and sending them home; in addition to the data from the web browsers themselves, it can also extract information from browser extensions.
Malwarebytes does not provide any indicators of compromise (IOCs). However, anyone who has run the malware should keep an eye on their accounts, as account and cryptocurrency information is the primary target of the Infostealer, Malwarebytes employees explain. Those affected should change their passwords – all of them, but starting with the most important ones; those who do not yet use a password manager should take the opportunity to switch to one. Where possible, they should also activate multi-factor authentication. They should log out of all important accounts on the infected machine, as the infostealers can also steal session cookies that can be used to bypass a login with MFA.
(dmk)
