Fake AI video generation tools, posing as advanced AI tools that generate videos based on uploaded user files, are being used to spread a new malware family that steals information called ‘Noodlophile’ under the guise generated media content. The websites are advertised in high-visibility Facebook groups under names like “Dream Machine” as advanced AI tools which generate videos from uploaded files.
The use of AI tools for malware delivery is not a new concept, and has been adopted by skilled cybercriminals. However, the discovery of this latest campaign was shocking. Morphisec’s adds a new infostealer to the mix.
Morphisec says that Noodlophile, a malware-asa-service, is being sold in dark web forums. It’s often bundled with services “Get Cookie + Pass” so it’s an operation tied to Vietnamese-speaking operators.
Multi-stage infection chains
After the victim uploads files to the malicious website, they will receive a ZIP file that contains an AI-generated movie.
The ZIP file contains a misleading executable (Video Dream MachineAI.mp4.exe) and a hidden directory with various files required for the next stages. If Windows users have file extensions disabled (never disable file extensions), this would appear to be an MP4 video.
“The file Video Dream MachineAI.mp4.exe is a 32-bit C++ application signed using a certificate created via Winauth,” explains Morphisec.
“Despite its misleading name (suggesting an .mp4 video), this binary is actually a repurposed version of CapCut, a legitimate video editing tool (version 445.0). This deceptive naming and certificate help it evade user suspicion and some security solutions.”
Source: Morphisec
Double-clicking on the fake MP4 will execute a series of executables that eventually launch a batch script (Document.docx/install.bat).
This script uses a legitimate Windows tool called ‘certutil.exe,’ to decode a base64 encoded password-protected PDF document. It also adds a Registry key to ensure persistence.
The script then executes srchost.exe which runs a obfuscated Python code (randomuser2025.txt), fetched from an hardcoded remote address. This script eventually executes the Noodlophile Stealer.
In the event that Avast is detected, PE hollowing will be used to inject payloads into RegAsm.exe. Shellcode injection is used instead for in-memory executing.
Morphisec
Noodlophile, a new information-stealing malware, targets data stored in web browsers such as account credentials, session cookie, tokens and cryptocurrency wallet files. Researchers at Morphisec explain
“Noodlophile Stealer represents a new addition to the malware ecosystem. Previously undocumented in public malware trackers or reports, this stealer combines browser credential theft, wallet exfiltration, and optional remote access deployment,” .
Stolen information is sent via a Telegram bot that acts as a covert C2 server. This gives attackers access to stolen data in real time.
Noodlophile can be bundled with XWorm – a remote access trojan – giving attackers enhanced data theft capabilities. This goes beyond passive stealing facilitated through the info-stealer.
Avoid downloading and executing files on unknown websites. This is the best way to protect yourself from malware.
Verify file extensions and run a scan on all downloaded files with an updated AV tool.
