{"id":25475,"date":"2024-11-19T07:10:07","date_gmt":"2024-11-19T15:10:07","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/11\/19\/news-19205\/"},"modified":"2024-11-19T07:10:07","modified_gmt":"2024-11-19T15:10:07","slug":"news-19205","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/11\/19\/news-19205\/","title":{"rendered":"Free AI editor lures in victims, installs information stealer instead on Windows and Mac"},"content":{"rendered":"\n

A large social media campaign was launched to promote a free Artificial Intelligence (AI) video editor. If the “free” part of that campaign sounds too good to be true, then that’s because it was.<\/p>\n

Instead of the video editor, users got information stealing malware. Lumma Stealer was installed on Windows machines and Atomic Stealer (AMOS) on Macs.<\/p>\n

The campaign to promote the AI video editor was active on several social media platforms, like X, Facebook, and YouTube…<\/p>\n

\"Facebook<\/figure>\n

…and had been active for quite a while. as you can see from this tweet.<\/p>\n

\"Tweet<\/figure>\n

The criminals seem to have used a lot of accounts to promote their \u201cproduct\u201d as you can see from this search on X.<\/p>\n

\"List<\/figure>\n

Some accounts were expressly created for this purpose, while others look like they may have been compromised accounts.<\/p>\n

\"YouTube<\/figure>\n

The campaign looks well organized, and looks so legitimate that it took quite a while before a researcher found out and tweeted about the threat.<\/p>\n

\"Warning<\/a><\/figure>\n

When interested individuals follow the links, they\u2019ll end up on a professional looking website\u2014exactly what you would expect.<\/p>\n

\"EditProAI<\/figure>\n

But if they click the \u201cGET NOW\u201d button, they’ll download the information stealer and infect their device. The file is called “Edit-ProAI-Setup-newest_release.exe” for Windows, and “EditProAi_v.4.36.dmg” for macOS.<\/p>\n

Lumma is available through a Malware-as-a-Service (MaaS) model, where cybercriminals pay other cybercriminals for access to malicious software and its related infrastructure. Lumma steals information from cryptocurrency wallets and browser extensions, as well as two-factor authentication details. Lumma is often distributed via email campaigns, but nothing stops the cybercriminals from spreading it as a download for an AI editor, as they did here.<\/p>\n

AMOS makes money for its operators by finding and stealing valuable information on the computers it infects, such as credit card details, authentication cookies, passwords and cryptocurrency. Besides stealing data from the web browsers themselves, AMOS can also steal data from browser extensions (plugins).<\/p>\n

What if you installed one of these?<\/h2>\n

Both stealers are after login credentials and financial information, so there are a few things you\u2019ll need to do.<\/p>\n