Mandiant, Google Cloud's cybersecurity organization, captured and reported on the hacking group 'UNC6032' that spread malware through malicious advertisements impersonating AI tools on the 28th. This group is presumed to be associated with organizations in Vietnam.
UNC6032 posted numerous advertisements impersonating popular artificial intelligence (AI) video creation tools such as Luma AI and Canva DreamLab on social media platforms like Facebook and LINKED. When users clicked on the ads, they were directed to malicious sites disguised as AI services, and downloading files from these sites led to the installation of information-stealing malware and backdoors.
According to Mandiant, the malware collects sensitive data such as user login credentials, credit card information, and cookies, with the collected information being transmitted externally. Some malicious files were disguised as video files, such as 'Video Dream MachineAI.mp4.exe.'
The advertisements were exposed to over 2.3 million people, including in the European Union (EU) region, and there were reports of more than 250,000 exposures on LINKED. While Mandiant worked with Meta to remove some malicious ads and accounts, new advertisements continue to be generated, indicating that an industry-wide response is needed.
Yash Gupta, senior manager of threat defense at Mandiant, noted, "Threat actors continuously evolve their tactics, techniques, and procedures," adding that "this attack is a case of combining the popularity of AI tools with malicious advertising to weaponize it." He further added, "Sophisticated websites masquerading as AI tools can pose threats to both individuals and organizations, and even when appearing harmless, great caution is required when accessing websites connected through advertisements."