An individual or group of threat actors has deployed a sophisticated ransomware attack toolkit powered by artificial intelligence (AI). This toolkit automates the discovery of Active Directory (AD) and effectively evades endpoint detection and response (EDR) solutions.
The development of this malicious tool and its payloads was supported by Cursor and Claude Opus agents throughout various stages, from initial coding to analysis and revisioning. Some agents were specifically assigned to monitor security research posts for potential bypass techniques.
Several malware samples created using this AI-driven approach were rigorously tested in virtual environments against EDR tools from industry leaders such as Sophos, CrowdStrike, and Microsoft.
Despite the AI technology involved in the research and development of this malware, it is important to note that the entire workflow is driven by human intervention.
Researchers at leading cybersecurity firm Sophos recently identified activity related to this toolkit on a system within a client’s network. The alerts triggered by malicious payloads stored in a specific directory indicated a focus on avoiding detection.
The malicious files included:
Although the toolkit may initially resemble a “red team” post-exploitation framework, it is clear that it is being utilized in cybercriminal activities associated with ransomware.
“Our initial assessment led us to consider the involvement of a legitimate Red Team, but further investigation uncovered artifacts indicative of malicious and criminal intent,” stated Sophos to BleepingComputer.
Upon examining Cobalt Strike operator logs, researchers discovered references to a ransom note and information about multiple organizations listed on a ransomware data leak site, confirming the malicious nature of the framework and its association with cybercrime operations.
In a recent report, Sophos revealed that various Python scripts found on the compromised host were written in Russian and generated with the assistance of AI tools.
During their investigation, the researchers came across a Git repository containing components related to an automated Active Directory (AD) discovery panel and a testing lab that employed an iterative approach to developing and evaluating malware against EDR agents from Sophos, CrowdStrike, and Windows Defender.
The AD discovery process involves collecting data from completed tasks to determine the next course of action. This task is then delegated to remote agents, and the results are analyzed and refined accordingly.
The malicious framework comprises multiple AI agents, each assigned specific roles such as R&D coordination, testing, OPSEC hardening, documentation, proxy stress testing, and VM deployment.
During the development phase, some agents were responsible for documenting bypass techniques sourced from reputable cybersecurity firms like Kaspersky, Palo Alto Networks, Bishop Fox, and SpecterOps, as well as information shared in social media posts.
These agents extracted the techniques, aligned them with the MITRE ATT&CK framework, conducted testing in a controlled environment, and reported the outcomes.
The core component of the malicious framework is a Python tool that generates payloads, predominantly in Rust and Go, based on evasion techniques. Over 70 techniques were tested using close to 80 modules.
“This modular Windows payload loader generator wraps a raw payload in layers of encryption, evasion, and alternative execution techniques, producing custom-built executables or DLLs intended to resist sandboxing, antivirus, and EDR detection” – Sophos
Although the initial testing indicated a high failure rate, subsequent iterations of the modules demonstrated their capability to bypass the majority of EDR solutions. However, discrepancies were noted by Sophos between the test results and the framework’s internal reporting in certain instances, though the reasons behind this are unclear.
There is no evidence to suggest that AI elements were embedded within the deployed malware or operated independently within victim environments. Instead, AI technology was leveraged to expedite the iterative process of developing, testing, and enhancing payloads to evade security products.
AI tools are playing a crucial role in reducing the gap between offensive security research findings and their practical application by threat actors.
Automated penetration testing tools offer significant benefits, focusing on assessing an attacker’s ability to navigate a network. However, they may not adequately test the effectiveness of your security controls, detection mechanisms, or cloud configurations.
This comprehensive guide highlights the critical areas that require validation.
Download Now
EU Takes Action Against Instagram and Facebook for Violating Illegal Content Rules
Warning: Facebook Creators Face Monetization Loss for Stealing and Reposting Videos
Facebook’s New Look: A Blend of Instagram’s Style
Facebook Compliance: ICE-tracking Page Removed After US Government Intervention
Facebook and Instagram to Reduce Personalized Ads for European Users
InstaDub: Meta’s AI Translation Tool for Instagram Videos
Reclaim Your Account: Facebook and Instagram Launch New Hub for Account Recovery
Meta discontinues Messenger apps for Windows and macOS
Subscribe to our weekly newsletter below and never miss the latest News or an exclusive offer.
