A new ongoing malware campaign that exploits the growing popularity of AI tools by disguising itself as an AI voice generator has been discovered by Kaspersky. The malware uses GitHub to store password-protected archives as the final payload. This payload contains password and data stealers, enabling cybercriminals to steal various types of data, mine cryptocurrency, and download additional malicious software.
The Gipy malware has been active since mid-2023 and distinguishes itself by choosing AI tools as bait to spread malware. In a recent campaign observed by Kaspersky, the initial infection occurs when a user downloads a malicious file from a phishing website that imitates an AI application used to change voices. These websites are well-crafted and appear identical to legitimate ones. Links to the malicious files are frequently placed on compromised third-party websites running WordPress.
Gipy splash screens
After the user clicks the "Install"
button, the installer for a legitimate application starts, but in the
background, a script executes malicious activities. During its execution, Gipy
downloads and launches third-party malware from GitHub packaged in password-protected
ZIP archives. Kaspersky experts have analyzed over 200 of these archives. Most
of the ones on GitHub contain the infamous Lumma password stealer. However, the
experts also found Apocalypse ClipBanker, a modified Corona cryptominer, and
several RATs, including DCRat and RADXRat. Additionally, they discovered
password stealers like RedLine and RisePro, a Golang-based stealer called Loli,
and a Golang-based backdoor named TrueClient.
The cybercriminals behind Gipy do not show a particular geographical
preference, targeting users worldwide. The top five affected countries are
Russia, Taiwan, the US, Spain, and Germany.
"AI tools bring remarkable benefits and revolutionize our daily lives, but users must stay vigilant. Cybercriminals are leveraging the surge in AI interest to spread malware and conduct phishing attacks. AI is being used as bait for over a year now and we do not expect this trend to abate," comments Oleg Kupreev, security expert at Kaspersky.
To stay protected and explore new technologies in a safe way, Kaspersky experts also recommend:
- Be cautious when downloading software from the internet, especially if it's from a third-party website. Always try to download software from the official website of the company or service that you are using.
- Verify that the website you are downloading software from is legitimate. Look for the padlock icon in the address bar and make sure that the website's URL starts with https:// to ensure that the website is secure.
- Use strong, unique passwords for each of your accounts and enable two-factor authentication whenever possible. This can help protect your accounts from being compromised by attackers.
- Be wary of suspicious links or emails from unknown sources. Scammers often use social engineering techniques to trick users into clicking on links or downloading malicious software.
- Use a reliable security solution and keep it up-to-date. Kaspersky Premium is updated with the latest intelligence and can help detect and remove any malware that may be on your computer.