Full Report
During a recent Advanced Continual Threat Hunt (ACTH) investigation, the Trustwave SpiderLabs Threat Hunt team identified a deceptive campaign that abused fake AI-themed content to lure users into executing a malicious, pre-configured ScreenConnect installer.
Analysis Summary
# Threat Actor: Unattributed Actor Utilizing AI Lures
## Attribution & Identity
The campaign is attributed to an **unnamed threat actor or group** identified through the Trustwave SpiderLabs Threat Hunt team's Advanced Continual Threat Hunt (ACTH). No specific affiliation or moniker has been assigned in the provided context.
## Activity Summary
The observed activity involves a **deceptive campaign** that leverages **fake AI-themed content** as a lure to trick victims into executing a malicious installer. This campaign results in the deployment of the **ScreenConnect** remote access tool, which is used here to deliver the **Xworm** malware.
## Tactics, Techniques & Procedures
- **Social Engineering/Luring**: Abuse of current trends (AI) to create deceptive lures.
- **Initial Access**: Luring users into executing a malicious, pre-configured ScreenConnect installer.
- **Payload Delivery**: Deployment of the **Xworm** malware following successful execution of the installer.
- **Remote Access/Control**: Use of legitimate remote access software (**ScreenConnect**) post-compromise.
## Targeting
- **Sectors**: Not explicitly detailed, but the nature of the lure suggests targeting users interested in new technology/AI, potentially spanning across general corporate environments.
- **Geography**: Not explicitly detailed, though the IOCs suggest connectivity to potentially global command/control infrastructure.
- **Victims**: Not specifically named in the summary context provided.
## Tools & Infrastructure
- **Malware families used**:
- **ScreenConnect**: Abused as the initial delivery mechanism/installer.
- **Xworm**: The final payload delivered.
- **Infrastructure (C2, domains, IPs) - Defanged**:
- Domains: `gptgrok[.]ai`, `anhemvn6[.]com`
- URLs hosting payloads/scripts:
- `hxxps://github[.]com/trieule99911/vianhthuongbtc`
- `hxxps://raw.githubusercontent[.]com/trieule99911/vianhthuongbtc/refs/heads/main/basse64[.]txt`
- Numerous other personalized `.txt` files hosted on the same GitHub repository (e.g., `backpuppure.txt`, `Nhwneafyp.txt`, `purecoookielog.txt`).
- C2 IP: `5[.]181[.]165[.]102:7705`
## Implications
This operation highlights the continued reliance of threat actors on social engineering themed around high-interest topics (AI) to achieve initial access. The use of a legitimate remote administration tool (**ScreenConnect**) alongside a known backdoor (**Xworm**) suggests an intent for persistent remote control and data exfiltration or further malicious actions post-compromise.
## Mitigations
- Enforce strict **application control policies** to restrict execution of unauthorized installers, especially those disguised as legitimate software (like ScreenConnect).
- **Endpoint Detection and Response (EDR)** solutions should be tuned to detect anomalous execution chains following the use of legitimate remote tools.
- Implement robust **email and web filtering** policies to block access to suspicious GitHub repositories and newly registered domains used for hosting malicious payloads.
- **Security awareness training** must be updated to specifically warn employees about lures related to AI tools and software updates/installers.