DIGITAL LIFE

New Fin7 Hacker’s AI Naked Image Generator Serves Up More Than Nudes

Sex sells, so they say, and a notorious Russian ransomware group is taking that phrase into the AI age with a new campaign leveraging supposed deepfake nude image-generating applications.

Who Or What Is Fin7?...The Mitre Att@ck(https://attack.mitre.org/groups/G0046/) threat adversary knowledge base describes Fin7 as a financially-motivated threat group active since at least 2013. Since 2020 Fin7 has been adopting a big game-hunting approach to its operations, targeting organizations with ransomware and even offering a ransomware-as-a-service service facility. So, it might come as something of a surprise to learn that these organized-cybercrime veterans have moved into the AI-generated deepfake porn business. Or it would if that were truly the case. In fact, Fin7 is just continuing with operations designed to entrap victims, spread their malware, and gain financial rewards for their nefarious endeavors.

The Fin7 Gang Has Created A Deepfake Porn Honeypot...Newly published research from the security researchers at Silent Push has revealed how the Fin7 crime group is hosting malicious AI “DeepNude” generators as part of a honeypot of porn-related sites. The report, FIN7 hosting honeypot domains with malicious AI DeepNude Generators(https://www.silentpush.com/blog/fin7-malware-deepfake-ai-honeypot/), found that the ruse is being used across at least seven websites using at least two different deepfake image generators. These differences only in that one is a download-based malware distribution technique, the other a free-trail process that is way more sophisticated, according to the researchers.

Fin7 is casting a wide net in these attacks, Silent Push threat analysis revealed, with individuals and industries in the cross-hairs. Organizations are at risk as they may become vulnerable if unsuspecting employees are tempted to download malicious files which, the report said, “may directly compromise credentials via infostealers or be used for follow-on campaigns that deploy ransomware.”

The use of honeypots in this campaign is interesting as it marks a departure from the more conventional and relatively straightforward phishing bait methodologies. In this context, a honeypot refers to “technical minefields that have carefully crafted lures used by bad actors to bait their unsuspecting victims,” the researchers said.

The more sophisticated attack methodology, compared to the click on a link and download one mentioned earlier, is the use of a free trial process. This uses the adult-themed deepfake naked image generator to lure the victim into agreeing to a free trial. If they follow this link, it will ask them to upload an image from which it can create the deepfake nude porn. If the user does upload such an image, they are then prompted to download the results with a pop-up dialog that says this is “for personal use only, do you agree?” ​If they do, then a download is initiated which comes as a malicious Zip file containing the Lumma Stealer password-stealing malware. This then uses a DLL side-loading technique for execution.

All of the sites uncovered by Silent Push are currently offline after the researchers supported escalations to the hosting companies to have them taken down. But don’t be fooled, “we believe it’s likely new sites will be launched that follow similar patterns,” the researchers warned.

Davey Winder