Threat agents linked to lesser-known malware and ransomware projects are now using AI tools as lures in order to infect unaware victims with malicious payloads. This is a continuation of a trend that began last year with advanced threat actors infecting victims with malware using deepfake generators. These lures are becoming increasingly sophisticated. Info-stealer malware operators and ransomware operations trying to breach corporate networks have adopted this technique. Cisco Talos researchers discovered the same technique was now being used by smaller ransomware groups known as CyberLock and Lucky_Gh0$t. A new malware called Numero also uses this technique.
The malicious malware payloads are promoted through SEO poisoning and Malvertising in order to rank them highly in search engine results.
AI Tool Impersonation
CyberLock, a PowerShell-based Ransomware, is delivered via a fake AI tool (novaleadsai[.]com) impersonating the legitimate novaleads.app.
Cisco Talos
The victims are lured into downloading a.NET Loader that installs the ransomware.
CyberLock, once installed on the victim’s computer, encrypts all files on multiple disk partitions and adds the.cyberlock file extension to locked files.
A ransom note claims that $50,000 in Monero cryptocurrency will be used to support humanitarian causes in Palestine and Ukraine. It also claims that the funds will be used in Africa and Asia.
This package contains legitimate Microsoft open-source AI software alongside the ransomware, which is likely to evade detection by antivirus software.
It encrypts smaller files, appending random 4-character extensions. Larger files are replaced by a junk file of the same size and deleted.
Lucky_Gh0$t victims receive a personal ID, and are instructed to contact their attacker via the secure messaging platform Session in order to negotiate a ransom and decrypt the files.
Cisco Talos
A new malware named Numero poses as an InVideo AI Installer but is designed to target Windows systems.
It is delivered as a dropper that contains a batch file and VB script. The executable is named wintitle.exe.
The malware executes in an endless loop, corrupting the victim’s graphical user interface continuously by overwriting window title, buttons, and contents with the numeric strings “1234567890.”
Source: Cisco Talos
Even though no data is encrypted or destroyed by Numero, it renders Windows systems infected by the malware completely unusable. The infinite loop ensures that the system “locked” is in this visually corrupted condition.
As cybercriminals try to take advantage of the growing interest in AI-based tools, it is important to be cautious when downloading files from dubious sites.
It is better to stick with major AI projects rather than experimenting with new software and to download installers directly from the official website instead of following links in social media or promoted results.
