Threat actors have been observed to use seemingly legitimate artificial intelligence (AI) tools and software to sneak slick malware for future attacks on organizations around the world.
According to Trend Micro, the campaign uses productivity or AI-enhancing tools to provide malware targeting a variety of regions, including Europe, America, Asia, the Middle East and Africa (AMEA) regions.
Manufacturing, government, healthcare, technology and retail are some of the top sectors affected by the attack, with India, the US, France, Italy, Brazil, Germany, the UK, Norway, Spain and Canada emerging as the most infectious disease regions, demonstrating global spread.
“This rapid, widespread distribution across multiple regions strongly indicates that evil is not an isolated incident, but an active and evolving campaign currently circulating in the wild,” said security researchers Jeffrey Francis Bonaobra, Joshua Aquino, Emmanuel Panopio, Emmanuel Roll, Joshua Rijandro Singazan, Melvan Nataniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramaniel Ramani
The campaign, called Evyai by Trend Micro, describes the attackers behind the operation as “very capable” because of their ability to blur the line between genuine and deceptive software for malware distribution and their ability to hide malicious features in functional applications.
Programs distributed using this method include AppSuite, EPI Browser, JustAskJacky, Manual Finder, Onestart, PDF Editor, Recipe Lister, and Tampered Chef. Several aspects of the campaign were detailedly documented last month by Expel, G Data, and Truesec.
The key to the campaign is the length of time that attackers tried to make these apps look authentic, and ultimately, they run a lot of malicious activities in the background after being installed without re-flagration. The deception is further strengthened by signing certificates from disposable companies as the old signature has been revoked.
“Evyai disguises a productivity or AI-enhancing tool with a professional interface and valid digital signature that makes it difficult for users and security tools to distinguish between legitimate software,” Trend Micro said.
The ultimate goal of the campaign is to conduct extensive reconnaissance, remove sensitive browser data, maintain encrypted real-time communication with its Command and Control (C2) servers using AES encrypted channels, receive attacker commands, and deploy additional payloads.
It basically uses several propagation methods, including newly registered websites that mimic the vendor portal, malicious ads, SEO operations, and promoting download links on forums and social media.
Evyai per Trend Micro mainly acts as a conduit for gaining initial access, establishing persistence, preparing infected systems for additional payloads, and as a conduit for enumerating installed security software and jamming analysis.
“Instead of relying on obviously malicious files, these Trojans can mimic the appearance of real software, often providing lasting access before they are left to notice and suspect both in their corporate and personal environments,” the company said. “This dual-purpose approach will satisfy users’ expectations and further reduce the likelihood of doubt or investigation.”
Further analysis by G GATA determined that the threat actors behind Onestart, ManualFinder, and AppSuite were the same, and that the server infrastructure was shared for the distribution and configuration of all these programs.
“They are adding the buzzword “AI” to seduce users, under the guise of games, print recipes, recipe finders, manual viewfinders and recent malware,” says security researcher Banu Ramakrishnan.
Expel said the developers behind the AppSuite and PDF Editor campaigns have used the software to make it look legal, using at least 26 code signing certificates issued to companies in Panama and Malaysia over the past seven years.
The cybersecurity company tracks malware signed using these certificates under the name Baoloader, citing differences in behavior and certificate patterns, adding that it is different from TamperedChef.
Note that the name TamperedChef is originally attributed to a malicious recipe application that is configured to use a remote server to set up stealth communication channels and receive commands that facilitate data theft.
“TamperedChef used code signing certificates issued to Ukrainian and British companies, while Baoloader consistently used Panama and Malaysian certificates,” the company noted.
And that’s not all. Since then, field effects and guide points security have discovered more digitally signed binaries under the guise of calendar and image viewer tools, using the Neutralinojs desktop framework to run data sensitive to arbitrary JavaScript code and siphons.
“The use of Neutralinojs ran JavaScript payloads and interacted with native system APIs, allowing cover file system access, process spawning, and network communication,” Field Effect said. “The malware was able to bypass string-based detection and signature matching by using Unicode homoglyphs to encode the payload within a seemingly benign API response.”
The Canadian cybersecurity company said the presence of several code signing publishers across multiple samples suggests either malware providers as shared malware or a code signing market that drives wide distribution.
“The TamperedChef campaign shows how threat actors are evolving their delivery mechanisms by weaponizing potentially unwanted applications, abuse digital code signatures, and deploying secret encoding technologies.” “These tactics allow malware to pose as legitimate software, bypass endpoint defenses and leverage user trust.”
Source link
