Cybercriminals Exploit ChatGPT’s Sora AI Hype to Spread Malware

Cybercriminals strategically employ Sora branding to create convincing phishing sites, targeting both released and unreleased applications. 

Leveraging multiple attack vectors, including phishing sites and compromised social media accounts, these sophisticated threat actors distribute information-stealing malware, evading traditional antivirus detection. 

Post-data exfiltration, they deploy open-source mining software, demonstrating a dual-pronged approach of data theft and cryptocurrency mining for maximum financial gain. 

 Phishing sites and impersonating Sora 

Cybercriminals are exploiting the hype surrounding OpenAI’s unreleased AI model, Sora, by creating phishing websites that mimic official Sora platforms, which aim to trick users into downloading malware. 

Researchers identified multiple phishing sites with URLs like “hxxps://sorics-ai[.]web.app” and observed compromised social media accounts promoting Sora with these malicious links. 

The investigation revealed a network of compromised social media pages named “Sora AI – Creating Video From Text,” further distributing these phishing sites, highlighting the importance of user vigilance and caution when encountering content related to unreleased technology. 

Compromised pages distributing phishing sites 

A phishing campaign leveraging Sora AI branding has compromised numerous users.

Threat actors disseminated malicious zip files through deceptive advertisements on OpenAI’s community platform, which bypassed antivirus detection, enabling the successful installation of malware. 

Victims were redirected to phishing sites disguised as Sora promotion pages, resulting in data breaches, which indicates a sophisticated attack vector with evasive malware capable of circumventing traditional security measures. 

Users’ comments related to the Sora phishing campaign

Malicious actors are launching multiple campaigns using phishing websites disguised as Sora AI platforms to distribute malware, which likely involve multiple threat actors. 

The phishing sites trick victims into downloading a ZIP file containing an obfuscated batch script, which retrieves another ZIP containing Python scripts, one of which (“godady.py”) is the main payload. “godady.py” utilizes various compression techniques (zlib, bz2, gzip, and lzma) and hexadecimal encoding to conceal its malicious behavior. 

Layered decompression and Python payload extraction 

Braodo Stealer is a Python-based information stealer targeting Chrome, Firefox, Edge, Opera, Brave, and Chromium browsers that exfiltrates sensitive data like cookies, credentials, and web data, compresses it into a ZIP archive, and transmits it via HTTP POST requests to two Telegram bot IDs. 

A phishing campaign lures victims to download a malicious executable that, upon execution, performs extensive data theft, including screenshots, login credentials, cookies, and autofill data from multiple browsers. 

Targeted browsers 

The analysis by Cyble details a multi-stage malware campaign, where the attack begins with a phishing website that distributes a PyInstaller executable, which decrypts and executes a Python script obfuscated with PyArmor. 

The script downloads a batch file, which in turn retrieves and runs another malicious script, “document.py,” which steals user data like usernames, IP addresses, and browser credentials (cookies, logins) from Chrome and Edge, filtering out specific countries. 

The stolen data is compressed into a zip file with a specific format and sent to the attacker’s Telegram via the Telegram Bot API, while the malware downloads and installs cryptocurrency miners (XMRig, lolMiner) on the victim’s machine. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here