EvilAI Malware Disguising Itself as AI Tools Enters International Organizations

EvilAI Malware Disguising Itself as AI Tools Enters International Organizations

Threat actors have been slyly slipping malware for upcoming attacks on companies throughout the world using artificial intelligence (AI) tools and software that appear to be legitimate.

Trend Micro claims that the effort is delivering malware to multiple regions, including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region, leveraging productivity or AI-enhanced solutions.

India, the U.S., France, Italy, Brazil, Germany, the U.K., Norway, Spain, and Canada emerged as the regions with the highest infections, indicating a global spread. Other industries most affected by the attacks include manufacturing, government, healthcare, technology, and retail.

 

Jeffrey Francis Bonaobra, Joshua Aquino, Emmanuel Panopio, Emmanuel Roll, Joshua Lijandro Tsang, Armando Nathaniel Pedragoza, Melvin Singwa, Mohammed Malubay, and Marco Dela Vega, security researchers, stated that “this rapid, extensive distribution across multiple regions strongly indicates that EvilAI is not an isolated incident but rather an active and evolving campaign currently circulating in the wild.”

Trend Micro has given the campaign the codename EvilAI and described the attackers as “highly capable” because they can disentangle legitimate software from fraudulent software for the purpose of spreading malware and hiding its malicious elements in otherwise useful applications.

AppSuite, Epi Browser, JustAskJacky, Manual Finder, OneStart, PDF Editor, Recipe Lister, and Tampered Chef are a few of the programs that are provided in this manner. Last month, Expel, G DATA, and TRUESEC provided detailed documentation on a few campaign elements.

The campaign is noteworthy because of the extent to which the attackers have gone to make these programs look genuine and then, after installation, perform a number of malicious tasks in the background without causing any suspicion.  Since earlier signatures are revoked, the use of signing certificates from disposable companies further strengthens the fraud.

 

“EvilAI disguises itself as productivity or AI-enhanced tools, with professional-looking interfaces and valid digital signatures that make it difficult for users and security tools to distinguish it from legitimate software,” Trend Micro stated.

The campaign’s ultimate objective is to carry out in-depth reconnaissance, steal confidential browser information, and keep up an encrypted, real-time connection with its command-and-control (C2) servers over AES-encrypted channels in order to accept commands from attackers and send out more payloads.

In essence, it uses a number of propagation techniques, such as malicious advertisements, freshly registered websites that imitate vendor portals, SEO manipulation, and promoted download links on social media and forums.

According to Trend Micro, EvilAI is a stager that primarily serves as a means of gaining initial access, establishing persistence, and getting the compromised system ready for more payloads. It also takes action to list installed security software and obstruct investigation.

“Rather than relying on obviously malicious files, these trojans mimic the appearance of real software to go unnoticed into both corporate and personal environments, often gaining persistent access before raising any suspicion,” the business stated.  “This dual-purpose approach ensures the user’s expectations are met, further lowering the chance of suspicion or investigation.”

The threat actors behind OneStart, ManualFinder, and AppSuite are the same, according to additional research by G GATA, and the server architecture used to distribute and configure these apps is shared.

According to security researcher Banu Ramakrishnan, “They have been selling malware that is disguised as games, print recipes, recipe finders, manual finders, and lately, adding the buzzword ‘AI’ to lure users.”

According to Expel, during the past seven years, the creators of the AppSuite and PDF Editor campaigns have exploited at least 26 code-signing certificates that have been granted for businesses in Malaysia and Panama, among other places, to make their software look authentic.

Citing behavioral and certificate pattern discrepancies, the cybersecurity firm is tracking malware signed with these certificates under the name BaoLoader and stating that it differs from TamperedChef.

According to Expel, “BaoLoader is primarily a backdoor which allows the operator to execute whatever they want on a system,” News4Hackers reported.  “We think that advertising fraud has been their main application thus far.  Although they use the backdoor to install the apps, the actors behind the malware function as affiliate distributors for genuine products.”

“We have observed the use of residential proxies and browser extensions.  The companies whose software is being deployed have been contacted.”

The malicious software disseminated under the EvilAI moniker can be seen as separate campaigns, according to Expel, which also noted that EvilAI is a much broader category that contains BaoLoader along with other malware, indicating that this could be a component of a much larger infrastructure.

“Each malware campaign has its own developer, delivery infrastructure, and objectives,” the business stated.  “Distinguishing between them helps us better understand different risks and the people behind them.”

Notably, the term TamperedChef was initially linked to a malicious recipe application that was set up to establish a covert channel of communication with a distant server and receive commands that allowed for the theft of data.

The fact that the malware that TRUESEC detects as TamperedChef is actually BaoLoader is another point worth making.  As G DATA has pointed out, the malware’s primary functionality—including aiding in advertising fraud—is provided by a core backdoor component.

“TamperedChef used code-signing certificates issued to companies in Ukraine and Great Britain while BaoLoader consistently used certificates from Panama and Malaysia,” the business stated

 

And that’s not all. Since then, Field Effect and GuidePoint Security have discovered additional digitally signed binaries that pose as calendar and image viewer applications. These binaries use the NeutralinoJS desktop framework to run arbitrary JavaScript code and steal private information. According to Expel, these programs spread the original TamperedChef virus.

“The use of NeutralinoJS to execute JavaScript payloads and interact with native system APIs enabled covert file system access, process spawning, and network communication,” claimed Field Effect.  “The malware’s use of Unicode homoglyphs to encode payloads within seemingly benign API responses allowed it to bypass string-based detection and signature matching.”

The existence of several code-signing publishers across several samples, according to the Canadian cybersecurity firm, points to either a common malware-as-a-service provider or a code-signing marketplace that enables widespread distribution.

“The TamperedChef campaign illustrates how threat actors are evolving their delivery mechanisms by weaponizing potentially unwanted applications, abusing digital code signing, and deploying covert encoding techniques,” added the statement.  “These tactics allow malware to masquerade as legitimate software, bypass endpoint defenses, and exploit user trust.”

About The Author:

Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space.  Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.

Read More:

Interpol’s Global Cybercrime Crackdown: Recovered ₹36,000 Cr from 68,000 Bank Accounts

About Author