Social Media Malvertising Campaign Promotes Fake AI Editor Website for Credential Theft

Aug. 1, 2024, 11:02 a.m.

Description

An examination of how threat actors hijack social media pages, rename them to resemble legitimate AI photo editors, and post malicious links to fake websites promoted through paid ads. The links trick users into installing endpoint management software, allowing the execution of credential stealers like Lumma Stealer to exfiltrate sensitive data.

External References

https://www.trendmicro.com/en_us/research/24/h/malvertising-campaign-fake-ai-editor-website-credential-theft.html
https://otx.alienvault.com/pulse/66ab67770e75486590a06afa
Tags
phishing
credential theft
lumma
2024-08-01

Date

  • Created: Aug. 1, 2024, 10:46 a.m.
  • Published: Aug. 1, 2024, 10:46 a.m.
  • Modified: Aug. 1, 2024, 11:02 a.m.

Indicators

  • ec9da3c0ec75f89f76514155ad4b8900f7a9a726c0c7d17b797f9b1facdc8363
  • f2782ed28005af0cbc2d242faef16d352b04ba6f654d8d16477c6b5360fff981
  • e9ab13c12e16a1f6d1aeac21b000336979ac33f08ef4fe0c0de79a74bd903024
  • dbe0e8928f89e29c01245ba51638eb3c86a64ec85a5fbc846e4980630edb30de
  • daa03bec4eab760916059e796627357c480e5c7476c21e549ff2b7ff52597999
  • d66586c15ba491a1f30273a0598da458bcc5b4a71407ba146206316dced0a969
  • d43c8152d85c01429e01ad4d6cb4b3af9b0bfc03da2026d293c5a9d055fa3424
  • ce416d42fca8e86a84b4257c1d51f79c371d90457d016c397439e09983a3d40a
  • d3649001232536a97e473f5e26ea8ac59672132666c099baec41f438f2e7298d
  • cb1ac980514a5460e2f62c4006c39ea7b8d8cecf20037f367ae4176ddd739f5f
  • c7ff2ba573d7ed7430e4d17afbe373581c88a6b5f46a431938e4791702d2a03a
  • b55c3359e007e38513cbe7f9739c99525c9724cb02b805e54260abd91219cd3e
  • b187584e5d168a6e64fc2e84fc6416e199231ccdc985374c72013b64a2e7591c
  • a48d15cc79993f280af4121ed6b301a6dee3882e39936b5f2d90a0d4b41e119d
  • a1900395acfbdc9913d9368d05a9976ff2547dd560f53786d3c2fbcae3478ef9
  • 9ca5fd6ca3630902ab0e20c8a0341d72e810af919e1267a5074d08cc2b0c935c
  • 860013af5b467273458f9207a21fb9228a0aa572cd20fa53bd1a527c6822c9d5
  • 83b1dbc812f27b5d1e6f3d410f4e1f1aebc249862f730610158366821887f4fa
  • 82b6c9d6b8ac992c765c27517592173214fb2cdbefbc17234b938c397740720d
  • 818cfee8c60eb62553d1522567259385603559137088fbefc1fd13d53e36568f
  • 81070e1704f7bf29ab2b79255cbe4cc29fe06c5b82d35c6521e1f8198d47ea4a
  • 7bfeb7076c8aaaf05ebb05a13835f34038b11964c999c15951026334e60b772f
  • 772b52bf105a4fbabea5bc6bdb6599dc29f4560ff512288e12dbb539e8d4234b
  • 77d09bac89e1cccd15534649c8968005e093efadeb790725daea0c946affca42
  • 65157cf38ddf42b9ae78b7c1284cd67652c13d4a3038fcb10f3f0e1b9aed07f2
  • 5d4a3078622db5997016f0d6c699ab524622cc674cddf0721ecc3b4678d31bb6
  • 50e5f670700243535f8ff558831dbbc314b215092f523355aa7a1c26205ece37
  • 48d0b40658c98c0e3c05b9509afc822dddaeeb416967dc30df16feb53c79015d
  • 39911cb88baf9f5b462ec5081ba58576b1a65c2aa4b3fa1b0c90e6caee0bf81e
  • 36283a18c88b98e485a2fbe6a37d297d5d90294f5945497034c951d09c4a7f89
  • 34e7793b53098cf704956b46b5e5e251aa106086ab70aa9eda19fab38f62a13b
  • 310c711c095554f75406a26c1c2193d4daa7f05e1dc496ed2fb3e4546c3e74a8
  • 2f9646f18d3c0d5990e732f1f4288a8a05c1dac01c1a2a0d504f74692b787e71
  • 24049e34227ef86da65c5a6621cc2333a3e6dc0e12a282ec3635f12f9b570d52
  • 26e8003f9e7046c4d776ed59cbaa6e61a8abecf519f731c2d3e8b7ea31ed0d3f
  • 21ab7330d8df5a5bb80d9b5f8c360db4a5168c1fc5386a4f05b4bdbb29e64461
  • 0f053000273e48280e6293dbc665e5d73b2197d4d9d8556be687e5aae32b70f5
  • 0cc0663e4c4510649ac20acad9fb057bf75c9ac3845dec699a143c48a19e477e
  • 0e70afbd7b2518b7abf718d09597fa8dc26d2e40f4247e3dc6903117a20cd11c
  • 00268a313003939f7ac6aaaf2f8c9628814c74b5804042e514f9b35781797d62
  • 058d890b17c9b28e30255e079fd228f846e669e3d167e61174d7483d7b1755a0
  • 0b348cd7d3e4ac0137be8617f3d78c88406a95c389de0e20317cd4b7b21d1241
  • https://tinyurl.com/36ahx3es
  • https://dtg-help-277.pages.dev/
  • https://zoro-api.vlhentaiz.com/LoginProcess/
  • https://usop-api.vlhentaiz.com/LoginProcess/
  • https://tokyo-api.vlhentaiz.com/LoginProcess/
  • https://techsupportcenter1902.click
  • https://support-team-account.fbb2024-20.click/
  • https://metaverifybusiness.sp247.click/
  • https://linkup.top/metateamsupport.com
  • https://linkup.top/helpcenteraccount.us
  • https://linkup.top/businesshelpaccount.us
  • https://businesscenter.fbb16.click/
  • zoro-api.vlhentaiz.com
  • tokyo-api.vlhentaiz.com
  • usop-api.vlhentaiz.com
  • support-team-account.fbb2024-20.click
  • metaverifybusiness.sp247.click
  • businesscenter.fbb16.click
  • techsupportcenter1902.click
  • supportproteam.com
  • metateamsupport.com
  • linkup.top
  • importancedopz.shop
  • helpcenteraccount.us
  • evotophoto.com
  • evotoforpc.net
  • businesshelpaccount.us
  • applyzxcksdia.shop
  • aggiledpozm.shop
  • warrantelespsz.shop
  • outpointsozp.shop
Download all indicators here!

Attack Patterns

  • Lumma