Threat actors have been observed using seemingly legitimate artificial intelligence (AI) tools and software to sneakily slip malware for future attacks on organizations worldwide.
According to Trend Micro, the campaign is using productivity or AI-enhanced tools to deliver malware targeting various regions, including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region.
Manufacturing, government, healthcare, technology, and retail are some of the top sectors affected by the attacks, with India, the U.S., France, Italy, Brazil, Germany, the U.K., Norway, Spain, and Canada emerging as the regions with the most infections, indicating a global spread.
“This swift, widespread distribution across multiple regions strongly indicates that EvilAI is not an isolated incident but rather an active and evolving campaign currently circulating in the wild,” security researchers Jeffrey Francis Bonaobra, Joshua Aquino, Emmanuel Panopio, Emmanuel Roll, Joshua Lijandro Tsang, Armando Nathaniel Pedragoza, Melvin Singwa, Mohammed Malubay, and Marco Dela Vega said.
The campaign has been codenamed EvilAI by Trend Micro, describing the attackers behind the operation as “highly capable” owing to their ability to blur the line between authentic and deceptive software for malware distribution and their ability to conceal its malicious features in otherwise functional applications.
Some of the programs distributed using the method include AppSuite, Epi Browser, JustAskJacky, Manual Finder, OneStart, PDF Editor, Recipe Lister, and Tampered Chef. Some aspects of the campaign were documented in detail by Expel, G DATA, and TRUESEC last month.
What’s significant about the campaign is the lengths to which the attackers have gone to make these apps appear authentic and ultimately carry out a slew of nefarious activities in the background once installed, without raising any red flags. The deception is further enhanced by the use of signing certificates from disposable companies, as older signatures are revoked.
“EvilAI disguises itself as productivity or AI-enhanced tools, with professional-looking interfaces and valid digital signatures that make it difficult for users and security tools to distinguish it from legitimate software,” Trend Micro said.
The end goal of the campaign is to conduct extensive reconnaissance, exfiltrate sensitive browser data, and maintain encrypted, real-time communication with its command-and-control (C2) servers using AES-encrypted channels to receive attacker commands and deploy additional payloads.
It essentially makes use of several propagation methods, including using newly registered websites that mimic vendor portals, malicious ads, SEO manipulation, and promoted download links on forums and social media.
EvilAI, per Trend Micro, is used as a stager, chiefly acting as a conduit to gain initial access, establish persistence, and prepare the infected system for additional payloads, while taking steps to enumerate…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
