Cybersecurity researchers have identified a sophisticated campaign, dubbed EvilAI, where malicious actors distribute malware under the guise of legitimate artificial intelligence (AI) tools and productivity software. This operation has targeted organizations across various sectors, including manufacturing, government, healthcare, technology, and retail, spanning regions such as Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) area.
The campaign employs applications like AppSuite, Epi Browser, JustAskJacky, Manual Finder, OneStart, PDF Editor, Recipe Lister, and Tampered Chef to deliver malware. These programs are meticulously crafted to appear authentic, featuring professional interfaces and valid digital signatures, making it challenging for users and security systems to detect their malicious nature.
Once installed, these deceptive applications perform extensive reconnaissance, exfiltrate sensitive browser data, and maintain encrypted, real-time communication with command-and-control (C2) servers. This communication utilizes AES-encrypted channels to receive attacker commands and deploy additional payloads.
The distribution methods for EvilAI are diverse, including newly registered websites mimicking legitimate vendor portals, malicious advertisements, search engine optimization (SEO) manipulation, and promoted download links on forums and social media platforms.
EvilAI primarily functions as a stager, facilitating initial access, establishing persistence, and preparing the infected system for further payloads. It also enumerates installed security software and employs techniques to hinder analysis, thereby enhancing its stealth and effectiveness.
The attackers’ ability to blur the line between genuine and malicious software underscores the evolving nature of cyber threats. Organizations are advised to exercise caution when downloading and installing software, especially from unverified sources, and to implement robust security measures to detect and mitigate such sophisticated attacks.
