Cisco Talos uncovered three new malware threats disguised as AI tool installers: CyberLock ransomware, LuckyGh0$t ransomware, and the destructive Numero malware. These threats exploit AI’s popularity to target industries such as B2B sales, technology, and marketing, using deceptive websites and fake installers distributed via SEO poisoning and social media. #CyberLock #LuckyGh0$t #Numero
Keypoints
- CyberLock ransomware operates via a fake AI tool website ‘novaleadsai[.]com’ and encrypts victims’ files using PowerShell with AES encryption, demanding Monero ransom under the guise of humanitarian aid funding.
- Lucky_Gh0$t is a minor variant of Yashma ransomware, distributed as a fake ChatGPT installer, encrypting files smaller than 1.2GB and destructively replacing larger files.
- Numero is a newly identified destructive malware that manipulates Windows GUI elements, rendering infected systems unusable by overwriting window contents.
- Threat actors use SEO-poisoning and social media platforms to distribute counterfeit AI solution installers, targeting the B2B sales, technology, and marketing sectors.
- CyberLock ransomware hides its PowerShell window, elevates privileges, and wipes free disk space using the legitimate Windows tool cipher.exe to hinder forensic recovery.
- Lucky_Gh0$t ransomware deletes volume shadow copies and backups while using AES-256 and RSA-2048 encryption methods.
- Numero malware detects and evades multiple debugging and malware analysis tools, running continuously via an infinite loop in a malicious batch script.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – CyberLock ransomware is written in PowerShell and executes embedded scripts to encrypt files (“…CyberLock ransomware is written in PowerShell…”).
- [T1543] Create or Modify System Process – CyberLock elevates privileges and re-executes itself with administrative rights (“…CyberLock has the capability to elevate privileges and re-execute itself…”).
- [T1070] Indicator Removal on Host – CyberLock uses cipher.exe with the /w option to wipe free disk space to hinder forensic recovery (“…CyberLock uses the living-off-the-land binary ‘cipher.exe’ with the ‘/w’ option to erase free space…”).
- [T1486] Data Encrypted for Impact – Both CyberLock and LuckyGh0$t ransomware encrypt victim files to prevent access (“…encrypts the targeted files using AES…”; “…LuckyGh0$t uses AES-256 and RSA-2048 encryption…”).
- [T1497] Virtualization/Sandbox Evasion – Numero evades debugging and malware analysis tools by checking process handles (“…Numero evades analysis by checking process handles of various malware analysis tools and debuggers…”).
- [T1547] Boot or Logon Autostart Execution – Numero uses a malicious batch script in an infinite loop to ensure continuous execution (“…batch file executes the Numero malware…in an infinite loop…”).
- [T1190] Exploit Public-Facing Application – CyberLock threat actor created a fake domain mimicking a legitimate AI tool site using SEO poisoning to lure victims (“…threat actor creating a lookalike fake AI solution website…”; “…SEO manipulation technique…”).
Indicators of Compromise
- [Domain] CyberLock fake website domain – novaleadsai[.]com, mimicking novaleads.app
- [File Name] CyberLock loader executable – NovaLeadsAI.exe
- [Email] Ransom contact for CyberLock – cyberspectreislocked@onionmail[.]org
- [File Name] Lucky_Gh0$t ransomware executable – dwn.exe (masquerades as dwm.exe)
- [File Name] Lucky_Gh0$t SFX installer – “ChatGPT 4.0 full version – Premium.exe”
- [File Name] Numero malware executable – wintitle.exe
- [Ransom Note] CyberLock ransom note file – ReadMeNow.txt
- [Ransom Note] Lucky_Gh0$t ransom communication URL – getsession[.]org
- [ClamAV Detection] Examples – Ps1.Ransomware.CyberLock-10045054-0, Win.Dropper.LuckyGhost-10045078-0, Win.Malware.Numero-10045090-0
Read more: https://blog.talosintelligence.com/fake-ai-tool-installers/