Campaigns
Fake AI Platforms Are the New Front for Stealing Your Data

Fake AI Platforms Are the New Front for Stealing Your Data

FakeAIToolsNoodlophileStealerAIUnderAttackPhishingViaAI
Cybercriminals are increasingly disguising malware as generative AI platforms to exploit user trust and steal sensitive data. This campaign exposes the rise of fake AI tools used as entry points for cyberattacks,highlighting threats like the Noodlophile stealer and emphasizing the need for heightened vigilance when engaging with emerging AI technologies.

Indicators of Compromise

luma-aidreammachine.com
luma-dreammachine.com
lumalabs-dream.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1036 - Masquerading


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. [62]

Note: For Windows, Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on potential Masquerading.

DS0022

File

File Metadata

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters"\u202E", "[U+202E]", and "%E2%80%AE".

Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation.[63] In Linux, the file command may be used to check the file signature.[64]



File Modification

Monitor for changes made to files outside of an update or patch that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Windows Event ID 4663 (An Attempt Was Made to Access An Object) can be used to alert on attempted file accesses that may be associate with Masquerading.

DS0007

Image

Image Metadata

Collecting disk and resource filenames for binaries, comparing that the InternalName, OriginalFilename, and/or ProductName match what is expected, could provide useful leads but may not always be indicative of malicious activity. [65]

DS0009

Process

OS API Execution

Monitor for API calls such as fork() which can be abused to masquerade or manipulate process metadata.



Process Creation

Monitor for newly executed processes that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. The RECYCLER and SystemVolumeInformation directories will be present on every drive. Replace %systemroot% and %windir% with the actual paths as configured by the endpoints.

Analytic 1 - Suspicious Run Locations

(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND ( Image=":\RECYCLER*" OR Image=":\SystemVolumeInformation*" OR Image="%windir%\Tasks*" OR Image="%systemroot%\debug*")



Process Metadata

Monitor for file names that are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled.

DS0003

Scheduled Job

Scheduled Job Metadata

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

On Windows, Event ID 4698 (Security Log - A scheduled task was created) can be used to alert on the creation of scheduled tasks and provides metadata including the task name and task content (as XML).

On Linux, auditing frameworks such as the Linux Auditing System (auditd) can be used to alert on invocations of cron, and provides the metadata included when executing the command.



Scheduled Job Modification

Monitor for changes made to scheduled jobs that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.

DS0019

Service

Service Creation

Monitor for newly constructed services/daemons that may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools.



Service Metadata

Monitor for contextual data about a service/daemon, which may include information such as name, service executable, start type, etc.

DS0002

User Account

User Account Creation

Monitor for newly constructed accounts with names that are unusually generic or identical to recently-deleted accounts.


T1204 - User Execution


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor logs from applications to detect user-initiated actions such as opening malicious documents, clicking on phishing links, or executing downloaded malware.

Analytic 1 - Logs showing unexpected user actions triggering unusual processes.

sourcetype=application_log EventCode=1000 OR EventCode=1001| search application IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe", "adobe.exe", "zip.exe")| stats count by application event_description| where event_description IN ("opened document", "clicked link", "executed file")

DS0017

Command

Command Execution

Detect commands triggered by users, especially related to decompression tools (e.g., zip files) that may unpack malicious payloads. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Analytic 1 - Command lines showing decompression or decoding actions.

sourcetype=WinEventLog:Powershell EventCode=4104| search process_name IN ("powershell.exe", "cmd.exe", "zip.exe", "winrar.exe")| stats count by process_name command_line user| where command_line LIKE "%unzip%" OR command_line LIKE "%decode%"

DS0032

Container

Container Creation

Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Analytic 1 - Containers communicating with unexpected external services.

sourcetype=container_creation OR sourcetype=container_start| stats count by container_name event_description user| where container_name NOT IN ("") AND event_description IN ("created", "started")



Container Start

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

DS0022

File

File Creation

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

DS0007

Image

Image Creation

Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0030

Instance

Instance Creation

Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.



Instance Start

Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

DS0029

Network Traffic

Network Connection Creation

Monitor network traffic patterns associated with web-based user actions, such as clicking on phishing links or executing malware that tries to establish C2 communication.

Analytic 1 - Web-based network connections to suspicious destinations.

sourcetype=sysmon EventCode=3| search process_name IN ("winword.exe", "chrome.exe", "firefox.exe") | stats count by src_ip dest_ip dest_port process_name| where dest_ip NOT IN ("")



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

DS0009

Process

Process Creation

Identify processes spawned by user actions, especially from Office documents, PDFs, or web browsers that could lead to malicious execution.

Analytic 1 - Processes created from user interaction with files.

((sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))| search parent_process IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe")| stats count by parent_process process_name command_line user| where process_name NOT IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe")


T1041 - Exfiltration Over C2 Channel


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel.

Analytic 1 - Detecting C2 Tool Execution Related to Exfiltration

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("powershell -enc", "python -c", "curl -d", "wget --post-file", "certutil -encode", "base64 -w 0"))| eval risk_score=case( command IN ("powershell -enc", "certutil -encode"), 9, command IN ("python -c", "curl -d"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score

DS0022

File

File Access

Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel.

Analytic 1 - Detecting File Access Before C2 Exfiltration

(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/tmp/", "/var/tmp/", "/home//Downloads/", "C:\Users\\Documents\exfil"))| eval risk_score=case( file_path IN ("/tmp/", "/var/tmp/"), 9, file_path IN ("/home//Downloads/*"), 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation.

Analytic 1 - Detecting Outbound Network Connections for C2 Exfiltration

(EventCode=3 OR source="zeek_conn.log" OR source="firewall_logs")| where (bytes_out > 1000000 AND bytes_out > bytes_in * 5) // High outbound traffic| bucket span=1h _time| stats count by _time, host, process, dest_ip, bytes_out| where count > 5| stats count by host, dest_ip, count, earliest(_time), latest(_time)| where count >= 5| eval risk_score=case( count >= 10, 9, count >= 5, 8)| where risk_score >= 8| table host, dest_ip, count, earliest, latest, risk_score



Network Traffic Content

Hidden or encoded data inside normal C2 traffic (e.g., Base64, XOR, custom encoding).HTTP/S payloads with unusual long strings in GET/POST requests.DNS tunneling techniques used to bypass security controls.

Analytic 1 - Detecting Encoded or Hidden Data in C2 Channels

(EventCode=3 OR source="zeek_http.log" OR source="dns.log")| where (uri_length > 200 OR request_body_length > 5000)| eval encoded_data=if(match(uri, "([A-Za-z0-9+/=]{100,})") OR match(request_body, "([A-Za-z0-9+/=]{100,})"), 1, 0)| where encoded_data=1| stats count by _time, host, user, uri, request_body_length, risk_score| eval risk_score=case( request_body_length > 10000, 9, request_body_length > 5000, 8)| where risk_score >= 8| table host, uri, request_body_length, risk_score



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


T1555 - Credentials from Web Browsers


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may acquire credentials from web browsers by reading files specific to the target browser.[1]

Analytic 1 - Commands indicating credential searches in web browsers.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("sqlite3 logins", "CryptUnprotectData", "security find-internet-password", "sqlcipher logins", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))

DS0022

File

File Access

Identify web browser files that contain credentials such as Google Chrome’s Login Data database file: AppData\Local\Google\Chrome\User Data\Default\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser.

Analytic 1 - Unauthorized access to web browser credential files.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="file_open"((file_path IN ("\AppData\Local\Google\Chrome\User Data\Default\Login Data", "\AppData\Local\Microsoft\Edge\User Data\Default\Login Data", "\AppData\Roaming\Mozilla\Firefox\Profiles\\logins.json") AND Platform="Windows") OR (file_path IN ("/home//.mozilla/firefox//logins.json", "/home//.config/google-chrome/Default/Login Data") AND Platform="Linux") OR (file_path IN ("/Users//Library/Application Support/Google/Chrome/Default/Login Data", "/Users//Library/Application Support/Firefox/Profiles//logins.json") AND Platform="macOS"))

DS0009

Process

OS API Execution

Monitor for API calls that may acquire credentials from web browsers by reading files specific to the target browser.[1]

Analytic 1 - Suspicious API calls related to web browser credential access.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="api_call"(api IN ("CryptUnprotectData", "NSS_Init", "PK11SDR_Decrypt", "SecItemCopyMatching", "SecItemAdd", "SecItemUpdate", "SecItemDelete"))



Process Access

Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

Analytic 1 - Unauthorized process access indicating credential searches in web browsers.

index=security sourcetype IN ("WinEventLog:Microsoft-Windows-Sysmon/Operational", "linux_secure", "macos_secure") event_type="process"(CommandLine IN ("sqlite3 logins", "sqlcipher logins", "db-browser Login Data", "db-browser logins.json", "CryptUnprotectData", "security find-internet-password", "security dump-keychain", "strings Login Data", "cat Login Data", "cat logins.json", "sqlite3 signons.sqlite"))


T1539 - Steal Web Session Cookie


ID

Data Source

Data Component

Detects

DS0022

File

File Access

Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials to cloud service management consoles. Some cloud providers, such as AWS, provide distinct log events for login attempts to the management console.

Analytic 1 - Unexpected access to web session cookies files.

(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="\AppData\Roaming\\Cookies\" OR ObjectName="\AppData\Local\\Cookies\") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11 TargetObject="\AppData\Roaming\\Cookies\" OR TargetObject="\AppData\Local\\Cookies\") OR(index=os sourcetype="linux_audit" (filepath="/home//.mozilla/firefox/.default-release/cookies.sqlite" OR filepath="/home//.config/google-chrome/Default/Cookies")) OR(index=os sourcetype="macos_secure" file_path="/Users//Library/Application Support/Google/Chrome/Default/Cookies") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie")

DS0009

Process

Process Access

Monitor for attempts by programs to inject into or dump browser process memory.

Analytic 1 - Unauthorized access or injection into browser processes.

(index=security sourcetype="WinEventLog:Security" EventCode=4688 OR EventCode=4663) OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR EventCode=10) OR(index=os sourcetype="linux_secure" action="execve" OR action="ptrace") OR(index=os sourcetype="macos_secure" event_type="execve" OR event_type="ptrace") OR(index=gsuite sourcetype="gsuite:admin" event_name="LOGIN" event_type="cookie_auth") OR(index=o365 sourcetype="o365:management:activity" Operation="UserLoginViaCookie")


T1055 - Process Injection


ID

Data Source

Data Component

Detects

DS0022

File

File Metadata

Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc.



File Modification

Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

DS0011

Module

Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process.

DS0009

Process

OS API Execution

Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[95] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[96] [97] [98] [99]



Process Access

Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.



Process Metadata

Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[100]



Process Modification

Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges.

Observed Countries250

AD (246)
AE (562)
AF (449)
AG (505)
AI (16)
AL (399)
AM (87)
AO (75)
AQ (676)
AR (121)
AS (699)
AT (718)
AU (431)
AW (651)
AX (112)
AZ (935)
BA (817)
BB (419)
BD (600)
BE (940)
BF (425)
BG (247)
BH (678)
BI (998)
BJ (778)
BL (896)
BM (888)
BN (697)
BO (409)
BQ (501)
BR (954)
BS (648)
BT (117)
BV (13)
BW (605)
BY (23)
BZ (904)
CA (662)
CC (393)
CD (706)
CF (62)
CG (421)
CH (803)
CI (231)
CK (756)
CL (682)
CM (426)
CN (942)
CO (367)
CR (561)
CU (244)
CV (360)
CW (54)
CX (982)
CY (382)
CZ (410)
DE (662)
DJ (949)
DK (192)
DM (700)
DO (844)
DZ (435)
EC (906)
EE (13)
EG (764)
EH (61)
ER (562)
ES (744)
ET (150)
FI (940)
FJ (727)
FK (217)
FM (131)
FO (159)
FR (468)
GA (418)
GB (612)
GD (868)
GE (291)
GF (397)
GG (730)
GH (364)
GI (168)
GL (788)
GM (228)
GN (323)
GP (876)
GQ (783)
GR (880)
GS (543)
GT (790)
GU (817)
GW (582)
GY (437)
HK (214)
HM (360)
HN (188)
HR (84)
HT (22)
HU (249)
ID (552)
IE (178)
IL (859)
IM (612)
IN (811)
IO (660)
IQ (500)
IR (122)
IS (18)
IT (992)
JE (29)
JM (563)
JO (353)
JP (889)
KE (73)
KG (163)
KH (971)
KI (280)
KM (809)
KN (227)
KP (55)
KR (283)
KW (567)
KY (146)
KZ (767)
LA (284)
LB (706)
LC (612)
LI (687)
LK (380)
LR (196)
LS (452)
LT (375)
LU (857)
LV (285)
LY (713)
MA (837)
MC (442)
MD (865)
ME (895)
MF (40)
MG (220)
MH (264)
MK (880)
ML (428)
MM (665)
MN (740)
MO (735)
MP (184)
MQ (796)
MR (743)
MS (329)
MT (442)
MU (687)
MV (988)
MW (228)
MX (581)
MY (885)
MZ (673)
NA (937)
NC (35)
NE (382)
NF (147)
NG (459)
NI (905)
NL (154)
NO (279)
NP (645)
NR (280)
NU (133)
NZ (816)
OM (55)
PA (820)
PE (452)
PF (776)
PG (820)
PH (845)
PK (916)
PL (904)
PM (303)
PN (230)
PR (466)
PS (987)
PT (992)
PW (622)
PY (572)
QA (245)
RE (853)
RO (607)
RS (347)
RU (503)
RW (329)
SA (687)
SB (542)
SC (15)
SD (259)
SE (806)
SG (353)
SH (774)
SI (204)
SJ (226)
SK (834)
SL (317)
SM (511)
SN (809)
SO (827)
SR (98)
SS (259)
ST (21)
SV (40)
SX (321)
SY (873)
SZ (985)
TC (929)
TD (905)
TF (317)
TG (203)
TH (875)
TJ (660)
TK (547)
TL (457)
TM (589)
TN (751)
TO (725)
TR (547)
TT (752)
TV (286)
TW (867)
TZ (52)
UA (195)
UG (578)
UM (226)
US (828)
UY (131)
UZ (417)
VA (135)
VC (639)
VE (322)
VG (813)
VI (652)
VN (622)
VU (889)
WF (712)
WS (733)
XK (954)
YE (257)
YT (546)
ZA (164)
ZM (427)
ZW (256)