Today's cybersecurity headlines are brought to you by ThreatPerspective
| Follow @EthHackingNews |
| Follow @EthHackingNews |
The Hive0163 group has been linked to multiple custom backdoors, data exfiltration, and ransomware deployments using AI-assisted malware like Slopoly. This new tool highlights the accelerating threat landscape, forcing defenders to rethink security paradigms and stay vigilant in the face of emerging threats.
As the world grapples with the ever-evolving landscape of cyber threats, a new player has emerged in the realm of malware development: AI-assisted tools. The latest example is Hive0163's use of Slopoly, an AI-powered malware framework that powers their ransomware campaigns. This article will delve into the details of Slopoly and its implications for cybersecurity professionals and enthusiasts alike.
The Hive0163 group has been linked to multiple custom backdoors, data exfiltration, and ransomware deployments. They specialize in post-compromise activity, meaning they often gain access to a network after initial exploitation. X-Force researchers have identified Slopoly as a critical component of their toolkit, used to maintain persistent access to servers during ransomware attacks.
Researchers discovered Slopoly during an investigation into Hive0163's ransomware campaigns. The malware acts as a C2 client that collects system data, sends heartbeat beacons to a remote server, executes commands via cmd.exe, and maintains persistence through a scheduled task. Its structure and extensive comments suggest AI-assisted development, highlighting how attackers can rapidly build operational malware.
The Windows Interlock ransomware is deployed with the JunkFiction loader, typically in temporary folders. It supports various arguments to encrypt directories (-d) or files (-f), delete itself (-del), run as a scheduled task (-s), release locked files (-r), or store session keys externally (-u). Interlock skips system directories and critical file types, uses AES-GCM per-file encryption combined with RSA-protected session keys, and leaves a ransom note (FIRST_READ_ME.txt).
The malware can stop processes via the Restart Manager API to encrypt locked files and deletes itself using an embedded DLL executed through rundll32.exe. Researchers from IBM X-Force observed an intrusion starting with a ClickFix attack that tricked a victim into executing a malicious PowerShell command. The script deployed NodeSnake, part of a larger C2 framework used by Hive0163.
NodeSnake is the first stage of a larger malware command-and-control (C2) framework heavily used by Hive0163. According to observations, the framework spans multiple client implementations of varying capabilities in PowerShell, PHP, C/C++, Java, and JavaScript for both Windows and Linux. These components have widely been reported as "InterlockRAT" but despite its name, the final ransomware payloads may not be limited to Interlock only.
NodeSnake downloaded additional payloads, including the more advanced InterlockRAT, which enables reverse shells, SOCKS5 tunneling, and remote command execution. The attackers later deployed Slopoly and tools such as AzCopy and Advanced IP Scanner to expand access and move laterally within the network.
The emergence of AI-assisted malware like Slopoly highlights the accelerating threat landscape. Threat actors can rapidly build operational malware using AI, forcing defenders to fundamentally rethink today's security paradigms. The future potential of state-of-the-art AI technologies in the hands of an already highly disruptive threat actor poses an imminent risk to defenders.
As the use of AI-assisted malware continues to grow, it is essential for cybersecurity professionals to stay vigilant and adapt their strategies accordingly. This includes keeping up-to-date with the latest threats, implementing robust security measures, and staying informed about emerging trends in the world of cyber threats.
| Follow @EthHackingNews |