Post

EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations

Posted
By ictsec.pl
1 min read

The campaign has been codenamed EvilAI by Trend Micro, describing the attackers behind the operation as “highly capable” owing to their ability to blur the line between authentic and deceptive software for malware distribution and their ability to conceal its malicious features in otherwise functional applications. EvilAI, per Trend Micro, is used as a stager, chiefly acting as a conduit to gain initial access, establish persistence, and prepare the infected system for additional payloads, while taking steps to enumerate installed security software and hinder analysis.

What’s significant about the campaign is the lengths to which the attackers have gone to make these apps appear authentic and ultimately carry out a slew of nefarious activities in the background once installed, without raising any red flags. The deception is further enhanced by the use of signing certificates from disposable companies, as older signatures are revoked.

The end goal of the campaign is to conduct extensive reconnaissance, exfiltrate sensitive browser data, and maintain encrypted, real-time communication with its command-and-control (C2) servers using AES-encrypted channels to receive attacker commands and deploy additional payloads. It essentially makes use of several propagation methods, including using newly registered websites that mimic vendor portals, malicious ads, SEO manipulation, and promoted download links on forums and social media.

And that’s not all. Field Effect and GuidePoint Security have since uncovered more digitally signed binaries that masquerade as calendar and image viewer tools, and make use of the NeutralinoJS desktop framework to execute arbitrary JavaScript code and siphon sensitive data. “The use of NeutralinoJS to execute JavaScript payloads and interact with native system APIs enabled covert file system access, process spawning, and network communication,” Field Effect said. “The malware’s use of Unicode homoglyphs to encode payloads within seemingly benign API responses allowed it to bypass string-based detection and signature matching.”

To read the complete article see: The Hacker News

CYBERSECURITY
MALWARE AI CYBERSECURITY TREND MICRO
This post is licensed under CC BY 4.0 by the author.