AI-Enhanced Malware Sports Super-Stealthy Tactics – Source: www.darkreading.com

Source: Lightspring via Shutterstock

A threat actor is using legit-looking AI tools and software to sneak malware for future attacks on organizations worldwide.

The campaign, which Trend Micro researchers are tracking as “EvilAI,” has already racked up hundreds of victims across manufacturing, government, healthcare, and other sectors, and has infected organizations in the US, India, the UK, Germany, France, Brazil, and beyond.

Fast Moving Threat

Trend Micro described the operation as fast-moving and leveraging AI, digital signatures, and very realistic looking features and functionality to avoid easy detection. “Just one week of monitoring has revealed the aggressive and rapid spread of the EvilAI malware,” Trend Micro said in a report this week. The “swift, widespread distribution across multiple regions strongly indicates that EvilAI is not an isolated incident but rather an active and evolving campaign currently circulating in the wild.”

The threat actor is using seemingly legitimate looking productivity and AI-enhanced apps with names like App Suite, Epi Browser JustAskJacky, Manual Finder, and Tampered Chef to conceal malware. While that by itself is a tired and worn tactic, what’s noteworthy with the EvilAI campaign is the lengths to which the adversary has gone to make the apps appear genuine.

Related:Vyro AI Leak Reveals Poor Cyber Hygiene

Trend Micro’s analysis showed them to feature “professionally crafted user interfaces and real, working features,” that a user or organization would expect when using the software. The Recipe Maker app for instance, actually features recipe-management capabilities, while Manual Finder helps users search for documents on their systems. With most of the apps, the malware code itself appears to have been AI-generated and contains little in it to attract the attention of antivirus and threat detection tools. Rather than attempting to mimic well-known apps — a common tactic among threat actors — the operators of EvilAI have chosen to conceal their malware in new apps with innocuous and generic-sounding titles to try and appear authentic.

AI Enhanced Malware

“By combining believable functionality with stealthy payload delivery, AI is reviving classic threats like Trojans and giving them new evasion capabilities against modern antivirus (AV) defenses,” Trend Micro said.

Adding to the deception are their digital signatures. Trend Micro found the threat actor using code-signing certificates from several newly registered entities to digitally sign their malicious apps and thereby lend them the authenticity that detection tools look for when scanning for malware. Most of the entities, with names like App Interplace LLC, Byte Media Sdn Bhd, Global Tech Allies ltd, and Pixel Catalyst Media LLC appear to have been registered over the past year. They typify the type of “disposable companies” that malware authors often use to obtain digital certificates for signing malware, Trend Micro said.

Related:Cyberattack on Kazakhstan’s Largest Oil Company Was ‘Simulation’

For all the sophistication though, the campaign still depends at least partly on users making choices they should know by now to avoid. One way the attackers are distributing the apps is via malicious advertisements in search engine results that direct them to download sites, or via promoted links on social media and forums. Trend Micro said it has also spotted the threat actor hosting the malware on newly registered websites that mimic vendor app portals or tech support pages.

Setting the Stage for Future Attacks

Once installed, the malicious apps function exactly as advertised while carrying out a slew of nefarious activities in the background. That includes extensive reconnaissance to map the victim environment and to identify installed security products. Once the reconnaissance is complete, EvilAI apps forcibly terminate Microsoft Edge and Chrome browser processes and attempt to disable specific security products, including those from Bitdefender, Kaspersky, and Fortinet. The malware deploys a variety of obfuscation methods, including control flow flattening and anti-analysis loops that make detection hard for signature-based detection tools. Like many malware tools, EvilAI apps use schedule task triggers and registry manipulation to remain persistent on compromised systems and encrypt communication with the command-and-control (C2) server.

Related:Qantas Reduces Executive Pay Following Cyberattack

Eric Skinner, Trend Micro’s VP of market strategy, says the malicious apps are likely being used to set the stage for future exploit activity. “Trend’s researchers have so far classified this malware as a ‘stager’; gaining initial access, establishing persistence, and preparing for future payloads,” Skinner adds. “At this point it isn’t known what subsequent stages might do. The malware could indeed be used primarily by an initial access broker [IAB].”

Traditional signature-based antivirus products, including those that rely on static analysis, are at high risk of missing EvilAI apps because of the aggressive obfuscation techniques the malware author has used, Skinner says. Real-time detection capabilities, such as those offered by modern endpoint detection and response (EDR) tools, are crucial at a time when AI-enabled threats are proliferating, he says. “For a number of years now it’s been increasingly important to leverage endpoint security solutions that can look for unusual behavior in real-time.”

Trend Micro’s recommendations include monitoring for unusual process behavior, network traffic, and system anomalies, as well as implementing strict application controls to block unapproved tools.

About the Author