Brief IA

IBM X-Force Reveals AI Malware in Ransomware Attack

🤖 Models & LLM·Tom Levy·

IBM X-Force Reveals AI Malware in Ransomware Attack

IBM X-Force Reveals AI Malware in Ransomware Attack
Key Takeaways
1IBM X-Force has discovered a malware named Slopoly, likely generated by AI, used in a ransomware attack.
2The PowerShell script allowed cybercriminals to maintain prolonged access to a compromised server.
3Slopoly, although technically simple, illustrates the growing use of AI to quickly create malware.
💡Why it mattersThe use of AI to generate malware could make cyberattacks more frequent and harder to attribute.
Le brief IA que lisent les pros

Le brief IA que les pros lisent chaque soir

Les 7 actus IA du jour, décryptées en 5 min. Gratuit.

Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.

Choisis ton rythme

Gratuit · Pas de spam · Désabonnement en 1 clic

📄
Full Analysis

IBM X-Force Discovers AI Malware in Ransomware Attack

A group of cybercriminals has used malware, likely generated by a language model, during a ransomware attack. This malware, identified by IBM X-Force, is a PowerShell script named Slopoly, which allowed the attackers to maintain access to a compromised server for over a week.

IBM X-Force researchers, while analyzing a ransomware attack, discovered this novel malware. Slopoly bears similarities to code generated by artificial intelligence. Used by the Hive0163 group, this script enabled persistent access before the deployment of the Interlock ransomware. Although simple, it illustrates a growing trend of using AI to accelerate the creation of new malware.

A PowerShell Script for Extended Access

The Slopoly malware is a PowerShell script installed on the compromised server in the C:\ProgramData\Microsoft\Windows\Runtime folder. It acts as a backdoor, allowing attackers to maintain remote access and execute commands on the machine.

Upon execution, the script collects information about the infected system, such as the public IP address, the username, and the computer name. This data is then transmitted to a server controlled by the attackers.

Slopoly regularly contacts its command server to report its activity and receive instructions. Commands are executed via the Windows command interpreter, and the results are sent back to the attackers. The script uses a scheduled task to automatically relaunch itself and keeps an activity log on the compromised machine.

In the analyzed attack, Slopoly was not the initial infection vector. The intrusion began with a ClickFix campaign, prompting the victim to execute a malicious script via the Windows Run dialog. After this initial access, the attackers deployed several payloads, including NodeSnake and InterlockRAT, before installing Slopoly and launching the Interlock ransomware. The late appearance of Slopoly suggests it may have been used as a real-world test.

Indicators of AI Generation

Technically, Slopoly is not impressive. IBM describes it as mediocre, despite comments and titles in the code that present it as more sophisticated. However, certain elements suggest it was created with a language model.

The file contains numerous comments explaining its operation, variables and functions with explicit names, detailed error handling, and a structured logging system. Additionally, the script describes itself as a "Polymorphic C2 Persistence Client," although the analysis reveals no capability to modify its operation.

In summary, Slopoly, while simple, reflects the evolution of cybercriminal methods. If AI enables the rapid production of tools with less effort, it could also foster the rise of ephemeral malware, developed for a specific attack and then abandoned. This could complicate the attribution of malicious campaigns.

Brief IA — L'actualité IA en français

L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.