The Rise of Malicious AI Tool Installers: A Threat Landscape
In an era where artificial intelligence (AI) is revolutionizing industries, from marketing to healthcare, the darker side of innovation is rearing its head. Cisco Talos has uncovered a disturbing trend: an emerging class of threats including ransomware like CyberLock, Lucky_Gh0$t, and a destructive malware dubbed “Numero.” These malicious programs are cleverly camouflaging themselves as legitimate AI tool installers, preying on unsuspecting users in various business sectors.
The Threats
CyberLock Ransomware
CyberLock is a ransomware variant developed using PowerShell, focusing primarily on encrypting crucial files on the victim’s system. What makes CyberLock particularly insidious is its ransom note, which falsely claims that payments will be allocated for humanitarian aid in regions like Palestine, Ukraine, Africa, and Asia. This manipulation is a psychological tactic aimed at coercing victims into complying with demands.
When CyberLock is executed, it employs a technique where it hides its PowerShell window to avoid detection. Following this, it encrypts specific file types using the AES algorithm and appends the “.cyberlock” extension to them. The ransom note, titled “ReadMeNow.txt,” threatens to expose sensitive business information unless a ransom of $50,000 is paid in Monero (XMR) cryptocurrency.
Lucky_Gh0$t Ransomware
Another noteworthy adversary, Lucky_Gh0$t, is a variant of the Yashma ransomware. Though only minor modifications have been made compared to earlier versions, this ransomware shares many of the same evasion techniques, including deleting volume shadow copies and employing AES-256 and RSA-2048 encryption methodologies.
Alarmingly, Lucky_Gh0$t often masquerades as a ChatGPT installer in an attempt to hoodwink victims. It uses a self-extracting ZIP installer labeled “ChatGPT 4.0 full version – Premium.exe.” Once executed, it can encrypt files while retaining their original names but appending a four-digit random alphanumeric code to the extensions. It’s designed to target various file types, including Microsoft Office documents and even database files.
Numero Malware
The newly identified malware, Numero, represents a different type of threat altogether. Unlike ransomware, Numero focuses on manipulating the graphical user interface (GUI) components of the Windows operating system, rendering affected systems practically unusable. This malware is designed to impersonate the installer for the AI video creation tool, InVideo AI. Once executed, it runs an infinite loop that disrupts the system by altering window titles and contents to an unintelligible numeric string.
Exploiting AI’s Popularity
As AI’s popularity rises, so too does the risk of malicious actors leveraging this trend for their own gain. These actors are employing sophisticated techniques to distribute counterfeit AI tool installers. SEO-poisoning tactics manipulate search engine rankings, causing fake websites to appear at the top of search results. Additionally, distribution platforms like Telegram and social media messengers are often utilized to reach potential victims.
This practice not only puts sensitive business data and financial resources at risk but also undermines trust in legitimate AI solutions. Organizations must exercise extreme caution, thoroughly verifying sources and opting exclusively for reputable vendors.
The CyberLock Case Study
Talos observed the creation of a lookalike domain, “novaleadsai[.]com,” aimed at deceiving users into downloading a fake AI solution originally intended to help businesses maximize lead value. The fake website promises free access for the first year, after which a steep subscription fee applies.
Upon download, the authentic-looking ZIP archive contains a malicious .NET executable, “NovaLeadsAI.exe,” which serves as a loader for the embedded CyberLock ransomware script. Once this executable is run, the ransomware begins its destruction.
Ransom Notes and Psychological Manipulation
The ransom note provided by CyberLock is structured to instill fear, threatening to expose stolen data unless payment is made within three days. Although the note claims sensitive information has been compromised, Talos found no evidence of actual data exfiltration. This tactic serves to manipulate and intimidate victims into compliance.
The Operating Mechanisms of CyberLock
Written in PowerShell, CyberLock uses advanced coding techniques to ensure it operates stealthily. Functions like GetConsoleWindow and ShowWindow are employed to hide the execution window. Moreover, CyberLock can elevate its privileges to execute with administrative rights, making it more challenging to remove.
Upon execution, it encrypts targeted files across logical partitions, capturing essential documents and rendering them beyond recovery. The malicious actors further complicate tracking efforts by splitting ransom payments into multiple wallets.
Evasion Techniques of Lucky_Gh0$t
Similar to CyberLock, Lucky_Gh0$t uses various evasion techniques. The ransomware deletes volume shadow copies to hinder recovery efforts and encrypts targeted files with a unique four-digit code appended to their extensions. It uses a personal ID for ransom negotiations, instructing victims to contact the perpetrator via a secure messaging platform.
The Destructive Nature of Numero
Unlike the ransomware variants, Numero solely focuses on disrupting users’ experiences with their systems. This continues a worrying trend of malware designed not just to extort but to dramatically hinder business operations. The infinite loop employed by Numero creates a continuous disruption on the desktop, making it a highly effective but malicious tool.
Final Thoughts on Preventive Measures
Given the alarming rise of these threats, businesses must prioritize cybersecurity. Employing robust systems such as Cisco Secure Endpoint and Cisco Secure Email can help prevent malware execution and the dissemination of malicious emails. Continuous education and awareness about these threats are not just recommended but necessary in today’s digital landscape.
By understanding these threats, companies can better prepare and defend against the growing tide of cybercrime that seeks to exploit legitimate advancements in technology for nefarious purposes.