Cybercriminals are currently using Facebook to promote fake pages and ads that mimic Kling AI, a popular AI platform. This campaign, detected earlier this year, aims to trick users into visiting fraudulent websites that distribute malware.
AI to lure victims
Kling AI is a platform developed by Beijing-based Kuaishou Technology that allows users to create images and videos from text or pictures. Launched in June 2024, it has more than 22 million users. Attackers are exploiting this growing popularity to trap their victims.
According to Check Point security researchers who analyzed this campaign, criminals are creating fake Facebook pages and running sponsored ads to lure users to fake sites. These perfectly mimic the interface of the real Kling AI platform.
Once on these fraudulent sites, visitors are invited to create multimedia content directly in their browser. However, contrary to the promises displayed, no images or videos are generated. Instead, the site offers to download a supposed multimedia file that turns out to be a malicious Windows executable, disguised using double extensions and special Unicode characters.
This malicious file, compressed in a ZIP archive, functions as a loader that installs a Remote Access Trojan (RAT) and a data-stealing program. Once activated, it establishes a connection with a command-and-control server, allowing hackers to remotely access the infected system and steal sensitive information.
The malware, identified as PureHVNC RAT, has advanced monitoring and data-stealing capabilities. It can capture passwords stored in browsers, session tokens, and other confidential information. The software also monitors the opening of windows corresponding to banks or cryptocurrency wallets to take screenshots.
To avoid detection, the malware monitors the presence of analysis tools like Wireshark or OllyDbg, modifies the Windows registry to ensure its persistence, and injects itself into system processes.
Check Point has identified at least 70 posts from fake Facebook pages imitating Kling AI. The exact identity of the perpetrators remains unknown, but several clues suggest a Vietnamese origin, including certain elements present on the fraudulent sites and in the advertisements.
This technique of using malicious advertising on Facebook to distribute data-stealing software is a proven tactic of Vietnamese cybercriminal groups. These groups are increasingly exploiting the popularity of generative AI tools to spread their malware.
0 Comments