IBM X-Force analyzed a new PowerShell backdoor called Slopoly, likely generated with a large language model, which was used in an Interlock ransomware campaign to maintain persistence and exfiltrate data. The attack began with a ClickFix social engineering flow, was attributed to the financially motivated group Hive0163, and highlights how AI-assisted builders can accelerate custom malware development and help evade detection. #Slopoly #Hive0163
Keypoints
- Slopoly is a PowerShell backdoor acting as a C2 client deployed to C:ProgramDataMicrosoftWindowsRuntime and persisted via a scheduled task named โRuntime Broker.โ
- IBM X-Force found indicators of LLM-assisted development, including extensive code comments, structured logging, and clearly named variables.
- The attack chain began with a ClickFix social engineering ruse and included other components like NodeSnake, InterlockRAT, and the Interlock ransomware delivered via JunkFiction.
- Slopoly collects system information, sends heartbeat beacons, polls for commands, executes commands via cmd.exe, downloads payloads, and maintains a rotating persistence.log.
- Although Slopoly is unsophisticated and not truly polymorphic, builders can generate varied clients with randomized configuration to hinder detection.