Full Report
Fake installers for popular artificial intelligence (AI) tools like OpenAI ChatGPT and InVideo AI are being used as lures to propagate various threats, such as the CyberLock and Lucky_Gh0$t ransomware families, and a new malware dubbed Numero. "CyberLock ransomware, developed using PowerShell, primarily focuses on encrypting specific files on the victim's system," Cisco Talos researcher Chetan
Analysis Summary
# Tool/Technique: CyberLock Ransomware
## Overview
CyberLock is a ransomware developed using PowerShell that focuses on encrypting specific files on a victim's system after being deployed via a fake AI tool installer (e.g., NovaLeadsAI.exe).
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows
- Capabilities: File encryption, privilege escalation, deployment via loader executable.
- First Seen: Implied to be recent, associated with current AI tool lure campaigns.
## MITRE ATT&CK Mapping
- TA0011 - Collection
- T1005 - Data from Local System
- TA0040 - Impact
- T1486 - Data Encrypted for Impact
- TA0005 - Defense Evasion
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
## Functionality
### Core Capabilities
- Deploys as a secondary payload after an initial loader executable is run.
- Escalates privileges to execute itself with administrative permissions.
- Encrypts files residing in "C:\," "D:\," and "E:\" partitions that match a defined set of extensions.
- Drops a ransom note demanding $50,000 in Monero (XMR) within three days.
### Advanced Features
- Utilizes the built-in Windows utility `cipher.exe` with the `/w` option to overwrite unused disk space, actively hindering forensic recovery of deleted files.
- The ransom note includes unusual philanthropic claims regarding the allocation of payment funds.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: `NovaLeadsAI.exe` (loader)
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: Monero wallets (payment destinations)
- Behavioral Indicators: Attempting privilege escalation; using `cipher.exe /w`.
## Associated Threat Actors
- Threat actors behind the fake AI installer campaigns (Nexus currently unclear from this specific mention, but associated with broader AI lure campaigns).
## Detection Methods
- Signature-based detection: Signatures for the deployed PowerShell scripts/executables.
- Behavioral detection: Detection of privilege escalation attempts followed by widespread file modification/encryption and subsequent execution of `cipher.exe /w`.
- YARA rules: [Not explicitly provided in the context]
## Mitigation Strategies
- Prevention measures: Exercise extreme caution when downloading software, especially from non-official sources, even if impersonating popular tools.
- Hardening recommendations: Restrict user permissions and scrutinize PowerShell execution originating from user-level applications.
## Related Tools/Techniques
- Lucky_Gh0$t Ransomware (also distributed in the same campaign)
- Yashma Ransomware (predecessor to Lucky_Gh0$t)
- Chaos Ransomware (ancestor in the chain)
***
# Tool/Technique: Lucky\_Gh0$t Ransomware
## Overview
Lucky\_Gh0$t is a variant of the Yashma ransomware, which itself is the sixth iteration of the Chaos ransomware series. It is distributed using fake installers, specifically masquerading as a premium version of ChatGPT.
## Technical Details
- Type: Malware family (Ransomware)
- Platform: Windows
- Capabilities: File encryption, system cleanup (deleting backups), dropping unique ransom notes.
- First Seen: Recent, associated with current AI tool lure campaigns.
## MITRE ATT&CK Mapping
- TA0040 - Impact
- T1486 - Data Encrypted for Impact
- TA0005 - Defense Evasion
- T1070.004 - Indicator Removal: File Deletion (Deleting Shadow Copies/Backups)
## Functionality
### Core Capabilities
- Targets files smaller than approximately 1.2GB for encryption.
- Deletes Volume Shadow Copies and backups prior to encryption.
- Implements minor modifications compared to its predecessor, Yashma.
### Advanced Features
- Drops a specific ransom note containing a unique personal decryption ID.
- Instructs victims to communicate via the Session messaging application to arrange payment and receive the decryptor.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: `dwn.exe` (payload, imitating `dwm.exe`)
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: Session messaging app contact mechanism.
- Behavioral Indicators: Deleting shadow copies; targeting files based on size threshold.
## Associated Threat Actors
- Threat actors behind the fake AI installer campaigns.
## Detection Methods
- Signature-based detection: Signatures targeting the known executable structure or file size targeting.
- Behavioral detection: Monitoring deletion of VSS/backups followed by mass file modification.
- YARA rules: [Not explicitly provided in the context]
## Mitigation Strategies
- Prevention measures: Verify software authenticity, especially for popular tools like ChatGPT.
- Hardening recommendations: Implement robust backup solutions that store copies offline or immutable to prevent easy deletion by malware.
## Related Tools/Techniques
- Yashma Ransomware
- Chaos Ransomware
***
# Tool/Technique: Numero Malware
## Overview
Numero is a destructive malware deployed via a counterfeit InVideo AI installer. Its primary function is to render Windows operating systems unusable by maliciously manipulating the Graphical User Interface (GUI) components.
## Technical Details
- Type: Malware (Destructive Payload)
- Platform: Windows (32-bit executable)
- Capabilities: Checking for analysis environments, persistent execution via batch loop, window/GUI component overwriting.
- First Seen: Recent, associated with current AI tool lure campaigns.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1562.001 - Impair Defenses: Disable or Modify Antivirus
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder
- TA0040 - Impact
- T1490 - Inhibit System Recovery
## Functionality
### Core Capabilities
- Written in C++ (32-bit executable).
- Checks running processes for malware analysis tools and debuggers.
- Executes within an environment managed by a batch file executed through the Windows shell in an infinite loop.
- The execution is temporarily paused for 60 seconds using a Visual Basic Script (`cscript`).
### Advanced Features
- Overwrites the desktop window's title, buttons, and content with the generic numeric string "1234567890," effectively making the UI unusable.
- Achieves persistence through the continuous restarting mechanism implemented in the associated batch file.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: Dropped components include a Windows batch file, a Visual Basic Script, and the Numero executable.
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: [Not explicitly provided in the context]
- Behavioral Indicators: Excessive checks for debuggers; continuous launching/relaunching of a process via a batch loop; GUI component manipulation.
## Associated Threat Actors
- Threat actors behind the fake AI installer campaigns.
## Detection Methods
- Signature-based detection: Signatures for the specific C++ executable.
- Behavioral detection: Monitoring for batch scripts that create infinite looping execution paths involving pausing (VB Script via cscript) and restarting specific executables; checking for GUI element manipulation.
- YARA rules: [Not explicitly provided in the context]
## Mitigation Strategies
- Prevention measures: Only download software from official, verified sources.
- Hardening recommendations: Implement application allow-listing or restrict execution privileges for downloaded executables in user profiles.
## Related Tools/Techniques
- Various loaders employing batch scripting for persistence and anti-analysis control.
***
# Tool/Technique: STARKVEIL (Dropper Payload)
## Overview
STARKVEIL is a Rust-based dropper payload distributed through fake AI website lures (e.g., impersonating Luma AI, Canva Dream Lab). Its primary role is to deploy three different modular malware families designed for information theft and persistence.
## Technical Details
- Type: Tool (Dropper/Loader)
- Platform: Windows (Rust-based)
- Capabilities: Downloading and deploying multiple modular malware components, facilitating DLL side-loading.
- First Seen: Mid-2024 (Campaign Active Since)
## MITRE ATT&CK Mapping
- TA0009 - Collection
- T1560.001 - Archive Collected Data: Archive via Utility
- TA0005 - Defense Evasion
- T1218.011 - System Binary Proxy Execution: DLL Side-Loading
## Functionality
### Core Capabilities
- Serves as the initial payload downloaded from the malicious website.
- Drops and launches three distinct, interconnected malware families (GRIMPULL, FROSTRIFT, XWorm).
- Functions as a conduit to launch COILHATCH, which then executes the three payloads via DLL side-loading.
- Implements failure redundancy by deploying multiple, similar payloads.
### Advanced Features
- Modularity allows for the downloading of plugins to extend functionality post-infection.
- Utilizes TOR tunneling via GRIMPULL for fetching secondary payloads that are decrypted/decompressed directly into memory.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: Rust-based dropper payload.
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: Potential outbound connections related to downloading secondary payloads.
- Behavioral Indicators: DLL side-loading activity; launching COILHATCH.
## Associated Threat Actors
- UNC6032 (Threat cluster assessed to have a Vietnam nexus).
## Detection Methods
- Signature-based detection: Signatures specific to the Rust binary structure.
- Behavioral detection: Monitoring for DLL side-loading involving Microsoft open-source components OR execution chains involving STARKVEIL -> COILHATCH -> modular payloads.
- YARA rules: [Not explicitly provided in the context]
## Mitigation Strategies
- Prevention measures: Utilize web filters to block access to known malicious domains used in the campaign.
- Hardening recommendations: Restrict the ability of non-standard processes to perform DLL side-loading or memory injection techniques.
## Related Tools/Techniques
- COILHATCH (Python-based dropper launched by STARKVEIL)
- GRIMPULL, FROSTRIFT, XWorm (Modular payloads delivered by STARKVEIL)
***
# Tool/Technique: GRIMPULL (Modular Payload)
## Overview
GRIMPULL is one of the three modular malware families deployed by the STARKVEIL dropper. It functions primarily as a downloader that fetches additional .NET payloads using a TOR tunnel infrastructure.
## Technical Details
- Type: Malware family (Downloader)
- Platform: Windows (Expected .NET based)
- Capabilities: Using TOR for anonymous C2 communication, retrieving secondary .NET payloads, decrypting and loading payloads in memory.
- First Seen: Associated with UNC6032 activity since mid-2024.
## MITRE ATT&CK Mapping
- TA0011 - Command and Control
- T1071.004 - Application Layer Protocol: Tor
- TA0007 - Discovery
- T1041 - Exfiltration Over C2 Channel (Implied by C2 use)
## Functionality
### Core Capabilities
- Establishes communications through a TOR tunnel for anonymity.
- Downloads subsequent .NET payloads.
- Decrypts and decompresses these retrieved payloads into memory as .NET assemblies (fileless execution).
### Advanced Features
- Reliance on TOR suggests a high degree of operational security from the threat actor.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: Executable loaded into memory as a .NET assembly.
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: Outbound traffic characteristic of TOR connections.
- Behavioral Indicators: Process memory allocation followed by decryption and execution of newly loaded assemblies.
## Associated Threat Actors
- UNC6032.
## Detection Methods
- Signature-based detection: Signatures for the specific in-memory .NET assembly structures.
- Behavioral detection: Monitoring for processes utilizing TOR libraries or establishing encrypted tunnels for payload retrieval followed by in-memory loading.
- YARA rules: [Not explicitly provided in the context]
## Mitigation Strategies
- Prevention measures: Network filtering to block known TOR exit nodes or C2 infrastructure.
- Hardening recommendations: Implement memory scanning tools to detect fileless malware execution.
## Related Tools/Techniques
- FROSTRIFT, XWorm
- STARKVEIL, COILHATCH
***
# Tool/Technique: FROSTRIFT (Modular Payload)
## Overview
FROSTRIFT is a .NET backdoor deployed by STARKVEIL. It focuses on system reconnaissance, information gathering about installed applications, and scanning for sensitive data related to cryptocurrency, passwords, and authenticators in Chromium-based browsers.
## Technical Details
- Type: Malware family (Backdoor)
- Platform: Windows (.NET based)
- Capabilities: System enumeration, application inventory, targeting specific sensitive files in browsers.
- First Seen: Associated with UNC6032 activity since mid-2024.
## MITRE ATT&CK Mapping
- TA0006 - Credential Access
- T1552.001 - Unsecured Credentials: Credentials in Files
- TA0009 - Collection
- T1082 - System Information Discovery
## Functionality
### Core Capabilities
- Collects general system information.
- Gathers details about installed applications.
- Scans for files associated with 48 specific extensions linked to password managers, authenticators, and cryptocurrency wallets stored within Chromium-based web browsers.
### Advanced Features
- Targeted data collection focused on high-value credentials and digital assets.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: Executable loaded into memory as a .NET assembly.
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: Likely communicates exfiltrated data over C2 channels established by other modules.
- Behavioral Indicators: Intensive file system scanning focused on browser profile directories for credential-related files.
## Associated Threat Actors
- UNC6032.
## Detection Methods
- Signature-based detection: Signatures for the .NET assembly structure of FROSTRIFT.
- Behavioral detection: Detection of access attempts to sensitive browser profile directories (e.g., within AppData/Local/Google/Chrome/User Data).
- YARA rules: [Not explicitly provided in the context]
## Mitigation Strategies
- Prevention measures: Ensure browser data is protected and discourage users from storing passwords in the browser if highly sensitive.
- Hardening recommendations: Use strong encryption for stored data where applicable and enforce least privilege.
## Related Tools/Techniques
- GRIMPULL, XWorm
- STARKVEIL, COILHATCH
***
# Tool/Technique: XWorm (Modular Payload)
## Overview
XWorm is a known .NET-based Remote Access Trojan (RAT) that is deployed as part of the STARKVEIL payload suite. It provides robust remote control and information gathering capabilities to the operators.
## Technical Details
- Type: Malware family (RAT)
- Platform: Windows (.NET based)
- Capabilities: Keylogging, command execution, screen capture, information gathering, alerting operator via Telegram.
- First Seen: Known RAT, deployed recently by UNC6032 in this campaign.
## MITRE ATT&CK Mapping
- TA0003 - Persistence
- T1547.001 - Registry Run Keys / Startup Folder (Likely, though not specified for this module)
- TA0011 - Command and Control
- T1071 - Application Layer Protocol
- TA0010 - Exfiltration
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- Remote execution of commands on the victim machine.
- Keylogging to capture user input.
- Screen capture functionality.
- General information gathering about the compromised host.
### Advanced Features
- Notifies the threat actor (victim notification) via the Telegram application upon successful breach/operation.
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: Executable loaded into memory as a .NET assembly/DLL.
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: C2 communication channels established by the RAT.
- Behavioral Indicators: Processes initiating keylogging hooks, taking screenshots, or using Telegram APIs for external communication.
## Associated Threat Actors
- UNC6032.
## Detection Methods
- Signature-based detection: Signatures associated with the known XWorm binary structure.
- Behavioral detection: Monitoring for simultaneous keylogging activity, screen capture, and remote command sessions.
- YARA rules: [Not explicitly provided in the context]
## Mitigation Strategies
- Prevention measures: Employing robust EDR solutions to detect and terminate RAT behaviors instantly.
- Hardening recommendations: Restrict outbound connections to known C2 infrastructure if available.
## Related Tools/Techniques
- GRIMPULL, FROSTRIFT
- STARKVEIL, COILHATCH
***
# Tool/Technique: COILHATCH
## Overview
COILHATCH is a Python-based dropper whose sole purpose within this chain is to facilitate the execution of the three primary malware payloads (GRIMPULL, FROSTRIFT, XWorm) by utilizing DLL side-loading techniques.
## Technical Details
- Type: Tool (Dropper)
- Platform: Windows (Python-based)
- Capabilities: Orchestrating the execution of three modular payloads via DLL side-loading.
- First Seen: Associated with UNC6032 activity since mid-2024.
## MITRE ATT&CK Mapping
- TA0005 - Defense Evasion
- T1218.011 - System Binary Proxy Execution: DLL Side-Loading
## Functionality
### Core Capabilities
- Launched by the STARKVEIL dropper.
- Executes the GRIMPULL, FROSTRIFT, and XWorm components.
- Leverages DLL side-loading to execute these components, potentially bypassing certain application controls that only scrutinize initial binary execution paths.
### Advanced Features
- Acts as an orchestrator, suggesting a structured, multi-stage deployment process designed for resilience (fail-safe mechanism).
## Indicators of Compromise
- File Hashes: [Not explicitly provided in the context]
- File Names: Python script or executable running the Python interpreter.
- Registry Keys: [Not explicitly provided in the context]
- Network Indicators: [Not directly, but facilitates network activity via GRIMPULL]
- Behavioral Indicators: Launching other executables via a technique mimicking DLL side-loading.
## Associated Threat Actors
- UNC6032.
## Detection Methods
- Signature-based detection: Signatures for the Python component.
- Behavioral detection: Detecting the execution chain where an initial binary (STARKVEIL) launches a Python script that forces DLL side-loading mechanisms.
- YARA rules: [Not explicitly provided in the context]
## Mitigation Strategies
- Prevention measures: Ensure Python environments are tightly controlled and only necessary libraries are available in execution contexts.
- Hardening recommendations: Employ tools that strictly monitor for unsafe DLL loading practices.
## Related Tools/Techniques
- STARKVEIL
- GRIMPULL, FROSTRIFT, XWorm