Cybercriminals promised a free, AI-based video editor in a social media campaign. However, those who fell for the offer ended up installing info-stealer malware. On social media, the campaign organizers advertised the supposed AI video editor with such posts.
IT security researchers from Malwarebytes analyzed that instead of the expected video editor with AI features, Windows PCs received the Lumma Stealer, and Mac computers got the Atomic Stealer. The campaign to promote the malware ran on various social media platforms, such as Facebook, YouTube, and X.
The malware campaign has been ongoing since at least early September and is still active. The perpetrators created numerous accounts to promote their “product.” Malwarebytes lists many handles like @ProAIEdit, @EditProAI, @EdittProAI, @EditPr0AI, and others under the name “EditProAI.” Some accounts appear to have been compromised and misused for advertising.
This is a seemingly well-organized campaign. It looks legitimate, which is why it was discovered very late, explains Malwarebytes. The website for the malware is still online and appears serious. The site is available in multiple languages, including German and English. A displayed changelog is intended to reinforce the serious appearance. When attempting to download the malware, interested parties are currently only helping to solve captchas – these are displayed before the supposed download – no malware download occurs. However, this could also be due to a geo-IP restriction.
Malwarebytes’ virus analysts found the files “Edit-ProAI-Setup-newest_release.exe” for Windows and “EditProAi_v.4.36.dmg” for macOS. These contain the Lumma Stealer for Windows, a malware-as-a-service offering that steals information from crypto wallets, browser extensions, and two-factor authentication information. The Atomic Stealer for macOS brings in money for its operators by searching the infected computer for credit card information, authentication cookies, passwords, and cryptocurrencies and sending them home. In addition to data from the web browsers themselves, it can also extract information from browser extensions.
Malwarebytes does not provide indicators of compromise (IOCs). However, those who have executed the malware should keep an eye on their accounts, as account and cryptocurrency information are the primary targets of the info stealers, explain Malwarebytes employees. Affected users should change their passwords – starting with the most important ones. Those who do not yet use a password manager should switch to one. Where possible, they should also enable multi-factor authentication. On the infected machine, they should log out of all important accounts because the info stealers can steal session cookies, which can bypass MFA login.