IBM X-Force Reveals AI Malware in Ransomware Attack
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
IBM X-Force Discovers AI Malware in Ransomware Attack
A group of cybercriminals has used malware, likely generated by a language model, during a ransomware attack. This malware, identified by IBM X-Force, is a PowerShell script named Slopoly, which allowed the attackers to maintain access to a compromised server for over a week.
IBM X-Force researchers, while analyzing a ransomware attack, discovered this novel malware. Slopoly bears similarities to code generated by artificial intelligence. Used by the Hive0163 group, this script enabled persistent access before the deployment of the Interlock ransomware. Although simple, it illustrates a growing trend of using AI to accelerate the creation of new malware.
A PowerShell Script for Extended Access
The Slopoly malware is a PowerShell script installed on the compromised server in the C:\ProgramData\Microsoft\Windows\Runtime folder. It acts as a backdoor, allowing attackers to maintain remote access and execute commands on the machine.
Upon execution, the script collects information about the infected system, such as the public IP address, the username, and the computer name. This data is then transmitted to a server controlled by the attackers.
Slopoly regularly contacts its command server to report its activity and receive instructions. Commands are executed via the Windows command interpreter, and the results are sent back to the attackers. The script uses a scheduled task to automatically relaunch itself and keeps an activity log on the compromised machine.
In the analyzed attack, Slopoly was not the initial infection vector. The intrusion began with a ClickFix campaign, prompting the victim to execute a malicious script via the Windows Run dialog. After this initial access, the attackers deployed several payloads, including NodeSnake and InterlockRAT, before installing Slopoly and launching the Interlock ransomware. The late appearance of Slopoly suggests it may have been used as a real-world test.
Indicators of AI Generation
Technically, Slopoly is not impressive. IBM describes it as mediocre, despite comments and titles in the code that present it as more sophisticated. However, certain elements suggest it was created with a language model.
The file contains numerous comments explaining its operation, variables and functions with explicit names, detailed error handling, and a structured logging system. Additionally, the script describes itself as a "Polymorphic C2 Persistence Client," although the analysis reveals no capability to modify its operation.
In summary, Slopoly, while simple, reflects the evolution of cybercriminal methods. If AI enables the rapid production of tools with less effort, it could also foster the rise of ephemeral malware, developed for a specific attack and then abandoned. This could complicate the attribution of malicious campaigns.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.