Summary
A highly capable threat campaign, codenamed EvilAI by Trend Micro, is using seemingly legitimate, digitally signed AI-enhanced productivity software, such as PDF editors, to secretly deliver various malware strains globally. These applications, which appear functional, serve as initial access conduits to perform reconnaissance, exfiltrate browser data, and prepare systems for secondary payloads. The campaign has a wide geographic spread, affecting sectors including manufacturing and retail sectors across regions, including the Americas and EMEA.
Analysis
The EvilAI campaign represents a significant evolution in malware delivery, characterized by the use of valid digital signatures from disposable companies and professional-looking interfaces to bypass security defenses and exploit user trust. The malware, acting as a stager, gains initial access and establishes persistence, taking steps to enumerate installed security software before deploying additional payloads. Further analysis has identified distinct but related malware clusters within EvilAI, such as BaoLoader and TamperedChef, which utilizes shared infrastructure and common core components but are managed by different developers with varying objectives, including advertising fraud. New variants have been observed utilizing the NeutralinoJS desktop framework to execute JavaScript payloads and interact with native system APIs, allowing for covert file system access and data siphoning via sophisticated techniques like Unicode homoglyph encoding.
The end goal of the campaign is to conduct extensive reconnaissance, exfiltrate sensitive browser data, and maintain encrypted, real-time communication with its command-and-control (C2) servers using AES-encrypted channels to receive attacker commands and deploy additional payloads.
Indicators of Compromise
Trend Micro has provided Indicators of Compromise associated with EvilAI, which can be accessed here and found below.
File Name |
SHA256 |
Detection |
justaskjacky.exe |
8ecd3c8c126be7128bf654456d171284f03e4f212c27e1b33f875b8907a7bc65 |
Trojan.Win32.EVILAI.A |
manualshq.exe |
49a4442e73521ecca8e56eb6dbc33f31eb7cfa5e62a499e552bcd29a29d79d8a |
Trojan.Win32.EVILAI.A |
PDF Editor.exe |
b0c321d6e2fc5d4e819cb871319c70d253c3bf6f9a9966a5d0f95600a19c0983 |
Trojan.Win64.DROPPER.CRCBA |
PDF Editor.exe |
cb15e1ec1a472631c53378d54f2043ba57586e3a28329c9dbf40cb69d7c10d2c |
Trojan.Win64.DROPPER.BB |
index.js |
ad0655b17bbdbd8a7430485a10681452be94f5e6c9c26b8f92e4fcba291c225a |
Backdoor.JS.EVILAI.A |
{GUID}or.js |
95001359fb671d0e6d97f37bd92642cc993e517d2307f373bfa9893639f1a2bc |
Backdoor.JS.EVILAI.A |
main.js |
9f369e63b773c06588331846dd247e48c4030183df191bc53d341fcc3be68851 |
Trojan.JS.EVILAI.YXFH1 |
main.js |
cf45ab681822d0a4f3916da00abd63774da58eb7e7be756fb6ec99c2c8cca815 |
Trojan.JS.EVILAI.YXFH1 |
{GUID}or.js |
ce834dca38aeac100f853d79e77e3f61c12b9d4da48bb0a949d0a961bf9c0a27 |
Backdoor.JS.EVILAI.A |
C&C Servers |
hxxps://9mdp5f[.]com |
hxxps://5b7crp[.]com |
hxxps://mka3e8[.]com |
hxxps://y2iax5[.]com |
hxxps://abf26u[.]com |