FIN7 Gang Hides Malware in AI “Deepnude” Sites
An infamous financially motivated threat group is luring victims to a network of malware-baited sites, promising downloads of deepfake tools, according to a new report from Silent Push.
The security vendor claimed that the Russia-based FIN7, which has been linked to multiple ransomware groups, is hosting the malicious sites on multiple domains under the aiNude[.]ai “brand.”
They’re designed to attract internet users looking to leverage deepfake “deepnude” tools to generate nude images from photos of individuals they upload.
FIN7 created two versions of these so-called “honeypot” websites: one offering free downloads of a ‘Deepnude Generator’ tool and the other offering a free trial.
Clicking on the “free download” offer will redirect the victim to a new domain featuring a Dropbox link or another source hosting a malicious payload, although it’s unclear from the report exactly what this is.
Read more on deepfakes: FBI Warns of Surge in Deepfake Sextortion Attempts
If a victim clicks on “free trial,” they’ll be prompted to upload an image.
“If an image is uploaded, the user is next prompted with a ‘Trial is ready for download’ message saying, ‘Access scientific materials for personal use only.’ A corresponding pop-up requires the user to answer the question, ‘The link is for personal use only, do you agree?,’” Silent Push explained.
“If the user agrees and clicks ‘Download’ they are served a zip file with a malicious payload. This other FIN7 payload is a more classic Lumma Stealer and uses a DLL side-loading technique for execution.”
The vendor has also observed FIN7 deploying the Redline Stealer malware and D3F@ck malware-as-a-service loader via this campaign.
It’s believed that the group uses SEO tactics to get its AI deepnude sites ranked at the top of search listings.
Silent Push also revealed a second campaign run by FIN7, designed to covertly serve up NetSupport RAT malware through lookalike sites which require visitors to install a browser extension. The threat actors lure victims to the sites – which spoof well-known brands such as SAP Concur, Microsoft and Thomson Reuters – via malvertising.