A widespread and sophisticated cyber campaign is using applications disguised as legitimate artificial intelligence (AI) and productivity tools to distribute malware across multiple continents. Security researchers have identified a global operation that targets organizations by tricking users into installing software that appears fully functional but secretly compromises their systems.
According to a report from Trend Micro, the campaign, codenamed "EvilAI," has impacted numerous sectors, including manufacturing, government, and healthcare. The malware's distribution spans Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region, confirming its extensive reach and active development.
Key Takeaways
- A global malware campaign named "EvilAI" is distributing malicious software disguised as helpful AI and productivity applications.
- The malware targets a wide range of industries, including government, healthcare, and technology, with infections reported worldwide.
- Attackers use valid digital signatures and professional-looking interfaces to make the malicious software appear authentic and bypass security checks.
- The primary goals of the malware are to steal sensitive browser data, conduct system reconnaissance, and prepare infected computers for further attacks.
Details of the EvilAI Campaign
The operators behind the EvilAI campaign have demonstrated a high level of capability by creating software that successfully mimics legitimate tools. Programs such as AppSuite, PDF Editor, and Manual Finder are presented with professional interfaces and are digitally signed to appear trustworthy.
This approach makes it difficult for both users and automated security systems to identify the software as malicious. Researchers noted that the attackers use code-signing certificates from disposable companies, frequently rotating them as older certificates are discovered and revoked. This tactic helps the malware maintain its appearance of legitimacy over time.
"EvilAI disguises itself as productivity or AI-enhanced tools, with professional-looking interfaces and valid digital signatures that make it difficult for users and security tools to distinguish it from legitimate software." - Trend Micro researchers.
The campaign's global footprint is significant. The highest number of infections have been recorded in India, the United States, France, Italy, and Brazil. Other heavily affected countries include Germany, the United Kingdom, Norway, Spain, and Canada, indicating a coordinated, worldwide distribution effort.
Malware Functionality and Objectives
Once installed, the malicious software serves as a "stager," a type of malware designed to gain initial access and establish a persistent foothold on the infected system. Its primary functions are to gather information about the device and prepare it for the deployment of additional malicious payloads.
Data Theft and Reconnaissance
The malware's main objectives include extensive system reconnaissance and the exfiltration of sensitive data. It is specifically designed to steal information from web browsers, which often contains valuable credentials, cookies, and personal information. The software also scans the infected system to identify installed security products, a common technique used to evade detection and hinder analysis.
Communication with its command-and-control (C2) servers is conducted through encrypted channels using AES encryption. This secure communication allows the malware to discreetly send stolen data and receive new commands or payloads from the attackers without being easily detected by network monitoring tools.
Distribution Methods
The attackers employ a multi-faceted distribution strategy to spread the malware. These methods are designed to reach a broad audience and exploit user trust in online content. Key distribution channels include:
- Malicious Advertising: Using online ads to direct users to download the compromised software.
- SEO Manipulation: Optimizing fake websites to appear in search engine results for common software queries.
- Fake Vendor Portals: Creating newly registered websites that mimic the official download pages of legitimate software.
- Social Media and Forums: Promoting download links on various online platforms to lure unsuspecting users.
Connections to Other Malware Families
Multiple cybersecurity firms have analyzed different components of this widespread campaign, connecting the activity to several malware families. While Trend Micro uses the name EvilAI, other researchers have tracked related threats under names like BaoLoader and TamperedChef.
Cybersecurity firm Expel reported that the developers behind some of the applications have used at least 26 different code-signing certificates over the past seven years to make their software appear legitimate.
Research from G DATA concluded that the threat actors responsible for the applications OneStart, ManualFinder, and AppSuite are the same, as they share server infrastructure for distribution and configuration. This suggests a centralized operation managing multiple deceptive applications.
Expel tracks a portion of this activity as "BaoLoader," noting that it primarily uses code-signing certificates issued to companies in Panama and Malaysia. This is distinct from another related threat, "TamperedChef," which historically used certificates from companies in Ukraine and Great Britain. These differences in certificate patterns suggest either different branches of the same operation or separate actors using similar tactics.
Advanced Evasion Techniques
Further investigation by firms like Field Effect and GuidePoint Security has uncovered even more sophisticated evasion tactics. They discovered digitally signed binaries that masquerade as common tools like calendar and image viewers.
These applications were built using the NeutralinoJS framework, which allows developers to create desktop applications using JavaScript. The attackers exploited this framework to execute malicious JavaScript code covertly. This code could access the file system, launch new processes, and communicate over the network without raising suspicion.
One of the most advanced techniques observed was the use of Unicode homoglyphs to encode malicious payloads. Homoglyphs are characters that look identical or very similar to others (e.g., the Latin 'A' and the Greek 'Alpha'). By hiding malicious code within seemingly harmless text using these lookalike characters, the malware was able to bypass many security tools that rely on signature-based or string-based detection.
"The malware's use of Unicode homoglyphs to encode payloads within seemingly benign API responses allowed it to bypass string-based detection and signature matching." - Field Effect report.
The presence of numerous code-signing publishers across different malware samples has led researchers to speculate about the attackers' supply chain. This pattern could indicate the use of a shared malware-as-a-service (MaaS) platform or a marketplace where threat actors can purchase code-signing certificates to lend their malicious software an air of authenticity. This evolving strategy highlights the growing challenge of distinguishing between trusted and malicious applications.
