www.darkreading.com Open in urlscan Pro
2606:4700::6810:e1ab  Public Scan

Form analysis
0 forms found in the DOM

Text Content

Dark Reading is part of the Informa Tech Division of Informa PLC
Informa PLC|ABOUT US|INVESTOR RELATIONS|TALENT
This site is operated by a business or businesses owned by Informa PLC and all
copyright resides with them. Informa PLC's registered office is 5 Howick Place,
London SW1P 1WG. Registered in England and Wales and Scotlan. Number 8860726.

Black Hat NewsOmdia CybersecurityAdvertise

Newsletter Sign-Up

Newsletter Sign-Up

Cybersecurity Topics

RELATED TOPICS

 * Application Security
 * Cybersecurity Careers
 * Cloud Security
 * Cyber Risk
 * Cyberattacks & Data Breaches
 * Cybersecurity Analytics
 * Cybersecurity Operations
 * Data Privacy
 * Endpoint Security
 * ICS/OT Security

 * Identity & Access Mgmt Security
 * Insider Threats
 * IoT
 * Mobile Security
 * Perimeter
 * Physical Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


World

RELATED TOPICS

 * DR Global
 * Middle East & Africa

 * Asia Pacific

See All
The Edge
DR Technology
Events

RELATED TOPICS

 * Upcoming Events
 * Podcasts

 * Webinars

SEE ALL
Resources

RELATED TOPICS

 * Library
 * Newsletters
 * Podcasts
 * Reports
 * Videos
 * Webinars

 * Whitepapers
 * 
 * 
 * 
 * 
 * Partner Perspectives

SEE ALL


 * Endpoint Security
 * Remote Workforce
 * Threat Intelligence
 * Vulnerabilities & Threats


AI 'NUDE PHOTO GENERATOR' DELIVERS INFOSTEALERS INSTEAD OF IMAGESAI 'NUDE PHOTO
GENERATOR' DELIVERS INFOSTEALERS INSTEAD OF IMAGES

The FIN7 group is mounting a sophisticated malware campaign that spans numerous
websites, to lure people with a deepfake tool promising to create nudes out of
photos.

Elizabeth Montalbano, Contributing Writer

October 3, 2024

4 Min Read
Source: Mike via Adobe Stock Photo


The notorious FIN7 threat group is combining artificial intelligence (AI) with
social engineering in an aggressive, adult-themed threat campaign that dangles
lures for access to technology that can "deepfake" nude photos — all to fool
people into installing infostealing malware.

The powerful Russian financial cybercrime group has created at least seven
websites that advertise for what's called a "DeepNude Generator," which promises
to use deepfake technology transform any photo into a nude representation of the
person pictured, according to new research from the threat hunters at Silent
Push.



People can either download the generator via the site or sign up for a "free
trial," demonstrating the sophistication of the scam. But instead of receiving
the tool, they end up downloading malicious payloads such as the stealers Lumma
and Redline, which can be used to deliver further malware such as ransomware,
the researchers said.

Given the provocative lure, organizations are vulnerable to the campaign, as it
may entice  unsuspecting employees to download malicious files. "These files may
directly compromise credentials via infostealers or be used for follow-on
campaigns that deploy ransomware," according to a blog post about the research.



Meanwhile, FIN7 also continues to promote an existing malvertising campaign that
targets corporate users with lures to content by popular brands — including  SAP
Concur, Microsoft, Thomson Reuters, and FINVIZ stock screening —  to spread the
NetSupport RAT and .MSIX malware, according to Silent Push. The researchers
identified a number of active IPs and thus "active new websites" hosting the
ploy, which asks people to download a fake "required browser extension," which
is actually a malicious payload, to view content related to the brands.



Related:Thousands of DrayTek Routers at Risk From 14 Vulnerabilities


FIN7 EVOLVES WITH THE TIMES

The DeepNude Generator campaign demonstrates particularly sophisticated thought
and planning on the part of FIN7, which developed at least seven dedicated
websites URLs —such as aiNude[.]ai, easynude[.]website, and ai-nude[.]cloud — to
make it appear convincing.

There is also evidence that FIN7 is employing search engine optimization (SEO)
to keep users engaged and to rank their honeypots higher in search results by
using footer links to "Best Porn Sites" on its sites. Those links direct victims
to other malicious sites dangling the same lure.



Moreover, the group invested effort in creating two website versions for
promoting the deepfake tool. The first involves a DeepNude Generator "free
download," and the second offers site visitors a DeepNude Generator "free
trial," each with a different attack flow.  

Related:Python-Based Malware Slithers Into Systems via Legit VS Code

The first uses "a simple user flow" that uses a "free download" link leading
users to a new domain featuring a Dropbox link or another source hosting a
malicious payload, according to Silent Push.

The second attack flow prompts users via a "free trial" button to upload an
image to test the generator. If this is done, the user is next prompted with a
“trial is ready for download” message, with a corresponding pop-up requires the
user to answer the question: "The link is for personal use only, do you agree?"

"If the user agrees and clicks 'download,' they are served a .zip file with a
malicious payload" that leads to the Lumma Stealer, and which uses a DLL
side-loading technique for execution, according to Silent Push.


MITIGATION & DEFENSE AGAINST FIN7

The two campaigns demonstrate that FIN7 — a cybercrime collective also known as
Carbanak, Carbon Spider, Cobalt Group, and Navigator Group that's been active
since 2012 — remains an imminent threat despite many attempts by law enforcement
to shut it down, or at least significantly disrupt it. It also shows a tenacity
on the group's part to evolve with modern technology and psychological tactics
to create more sophisticated ways to spread malware, the researchers said.



Related:Dragos Expands ICS Platform With New Acquisition

Indeed, FIN7 has long been known for its savvy combination of malware and social
engineering, having mounted a slew of successful, financially motivated attacks
against global organizations that have hauled in well over $1.2 billion — and
counting — for the criminal enterprise.

To help organizations combat threats from FIN7 and other organized cybercriminal
groups, developing indicators of attack based on the group's tactics,
techniques, and procedures (TTPs) is one method. Also, training employees to be
aware of these increasingly elaborate social engineering tactics that threat
groups use, and blocking the download of any unknown any files from the Internet
onto a machine connected to a corporate network also can help enterprises avoid
compromise by sophisticated threat campaigns.




ABOUT THE AUTHOR

Elizabeth Montalbano, Contributing Writer



Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing
mentor with more than 25 years of professional experience. Her areas of
expertise include technology, business, and culture. Elizabeth previously lived
and worked as a full-time journalist in Phoenix, San Francisco, and New York
City; she currently resides in a village on the southwest coast of Portugal. In
her free time, she enjoys surfing, hiking with her dogs, traveling, playing
music, yoga, and cooking.


See more from Elizabeth Montalbano, Contributing Writer
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities,
data breach information, and emerging trends. Delivered daily or weekly right to
your email inbox.

Subscribe

You May Also Like

--------------------------------------------------------------------------------

Endpoint Security

Chameleon Banking Trojan Makes a Comeback Cloaked as CRM App
Endpoint Security

Verizon Business 2024 Mobile Security Index Reveals Escalating Risks in Mobile
and IoT Security
Endpoint Security

Apple Security Bug Opens iPhone, iPad to RCE
Endpoint Security

Spyware Designed for Telegram Mods Also Targets WhatsApp Add-Ons
More Insights
Webinars

 * DevSecOps/AWS
   
   Oct 17, 2024

 * Social Engineering: New Tricks, New Threats, New Defenses
   
   Oct 23, 2024

 * 10 Emerging Vulnerabilities Every Enterprise Should Know
   
   Oct 30, 2024

 * Simplify Data Security with Automation
   
   Oct 31, 2024

More Webinars
Events

 * State of AI in Cybersecurity: Beyond the Hype
   
   Oct 30, 2024

 * [Virtual Event] The Essential Guide to Cloud Management
   
   Oct 17, 2024

 * Black Hat Europe - December 9-12 - Learn More
   
   Dec 10, 2024

 * SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
   
   Oct 22, 2024

More Events



EDITOR'S CHOICE

A Linux sign
Threat Intelligence
Near-'perfctl' Fileless Malware Targets Millions of Linux ServersNear-'perfctl'
Fileless Malware Targets Millions of Linux Servers
byNate Nelson, Contributing Writer
Oct 3, 2024
5 Min Read

Fiber optics background with lots of light spots
Endpoint Security
Thousands of DrayTek Routers at Risk From 14 VulnerabilitiesThousands of DrayTek
Routers at Risk From 14 Vulnerabilities
byJai Vijayan, Contributing Writer
Oct 3, 2024
4 Min Read
Screen covered with multi-colored postits, each one with a password written on
it.
Identity & Access Management Security
NIST Drops Password Complexity, Mandatory Reset RulesNIST Drops Password
Complexity, Mandatory Reset Rules
byEdge Editors
Sep 25, 2024
2 Min Read

Reports

 * Managing Third-Party Risk Through Situational Awareness
   
   Jul 31, 2024

 * 2024 InformationWeek US IT Salary Report
   
   May 29, 2024

More Reports

Webinars

 * DevSecOps/AWS
   
   Oct 17, 2024

 * Social Engineering: New Tricks, New Threats, New Defenses
   
   Oct 23, 2024

 * 10 Emerging Vulnerabilities Every Enterprise Should Know
   
   Oct 30, 2024

 * Simplify Data Security with Automation
   
   Oct 31, 2024

More Webinars
White Papers

 * Product Review: Trend Vision One Cloud Security

 * Gartner Magic Quadrant for Application Security Testing

 * Purple AI Datasheet

 * SecOps Checklist

 * SANS Security Awareness Maturity Model

More Whitepapers

Events

 * State of AI in Cybersecurity: Beyond the Hype
   
   Oct 30, 2024

 * [Virtual Event] The Essential Guide to Cloud Management
   
   Oct 17, 2024

 * Black Hat Europe - December 9-12 - Learn More
   
   Dec 10, 2024

 * SecTor - Canada's IT Security Conference Oct 22-24 - Learn More
   
   Oct 22, 2024

More Events




DISCOVER MORE WITH INFORMA TECH

Black HatOmdia

WORKING WITH US

About UsAdvertiseReprints

JOIN US


Newsletter Sign-Up

FOLLOW US



Copyright © 2024 Informa PLC Informa UK Limited is a company registered in
England and Wales with company number 1072954 whose registered office is 5
Howick Place, London, SW1P 1WG.

Home|Cookie Policy|Privacy|Terms of Use
Cookies Button


ABOUT COOKIES ON THIS SITE

We and our partners use cookies to enhance your website experience, learn how
our site is used, offer personalised features, measure the effectiveness of our
services, and tailor content and ads to your interests while you navigate on the
web or interact with us across devices. By clicking "Continue" or continuing to
browse our site you are agreeing to our and our partners use of cookies. For
more information seePrivacy Policy
CONTINUE




COOKIE POLICY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All


MANAGE CONSENT PREFERENCES

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Always Active

These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site.    All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.

FUNCTIONAL COOKIES

Always Active

These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

TARGETING COOKIES

Always Active

These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

Back Button


COOKIE LIST



Search Icon
Filter Icon

Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Confirm My Choices