Beware of Fake Sora AI: Cybercriminals Exploit Hype with Malware Attacks

Sora AI Malware
Phishing site impersonating Sora | Image: CRIL

The buzz surrounding OpenAI’s yet-to-be-released AI model, Sora, has attracted unwanted attention from cybercriminals. Reports from Cyble Research and Intelligence Labs (CRIL) reveal that threat actors are capitalizing on the excitement around Sora by creating phishing websites and distributing malware disguised as legitimate Sora software.

Multiple campaigns have been identified, utilizing cleverly designed phishing sites that impersonate official Sora platforms. These sites lure unsuspecting users into downloading malicious files under the guise of free Sora applications. CRIL has highlighted a phishing site, “hxxps[://]sora-openai-generation[.]com/,” which tricks visitors with promises of converting text into video, ultimately delivering a malicious payload.

Compromised social media page with high follower count promoting Sora via a phishing site | Image: CRIL

The malware distributed in these campaigns is diverse, ranging from information stealers like Braodo Stealer, which targets browser data, to cryptocurrency miners like XMRig and lolMiner. Cybercriminals employ various obfuscation methods to evade detection, including layered compression, hexadecimal encoding, and the use of compromised social media accounts to spread phishing links.

These campaigns demonstrate the sophisticated methods employed by threat actors. For example, another phishing site prompts users to download a zip file containing a PyInstaller executable. When executed, this file runs a Python script protected by PyArmor, an obfuscation tool designed to hide the script’s true functionality. The script downloads and executes additional malicious scripts, collecting sensitive data and installing cryptocurrency miners like XMRig and lolMiner on the victim’s machine.

Numerous users have reported falling victim to these campaigns, downloading malware and compromising their data. The malware’s ability to capture sensitive information, such as login credentials and browser cookies, raises serious privacy and security concerns. Additionally, the installation of cryptocurrency miners can severely impact system performance and consume significant energy resources.

CRIL has identified several phishing sites masquerading as legitimate Sora platforms:

  • hxxps://sorics-ai[.]web.app
  • hxxps://sora-6b494[.]web.app
  • hxxps://sorics-ai.web[.]app
  • hxxps://soraai-pro-kit[.]web.app
  • hxxps://sora-openai-generation[.]com
  • hxxps://openai-soravideo[.]com
  • hxxps://opensora-ai.web[.]app
  • hxxps://opensora[.]info

For more detailed information and to access the full report, visit Cyble Research and Intelligence Labs’ website.

Related Posts: