The first attack analyzed by the experts involved a case of an attack on a law firm that fell victim to a phishing campaign that resulted in its infection with Trickbot. This is a Trojan that exploits the Windows EternalBlue vulnerability and targets banks and other financial institutions. The malware continues to be improved, equipping it with modules for “injecting” malicious components, data processing, blocking mechanisms and obfuscation (code obfuscation tools). One of the Trickbot modifications managed to infect 20 network devices, and complex cleaning procedures were required to deactivate it and remove traces of its activity. The experts found Empire Powershell modules in the program, which are used to penetrate the victim’s computer after infection.
Darktrace believes that over time, AI-enriched guatemala mobile database will learn to self-propagate by seeking out any possible vulnerabilities to compromise a network. “Imagine a WannaCry-type attack that, instead of choosing one form of lateral movement (such as the EternalBlue exploit), independently identifies the target environment and chooses its penetration methods accordingly,” the company urges. For example, an AI program could “understand” that it is being targeted at vulnerabilities that have already been patched and launch a brute-force attack that uses keylogging and other methods that have proven effective in targeted attacks. What makes AI malware especially dangerous is the fact that it can sit in ambush, learn, and pick attack techniques, but do all this without the involvement of command and control (C2) servers.
Twin programs
As another example, Darktrace describes a doppelgänger infection mechanism that was discovered on a device belonging to a utility company. They say the malware covered its tracks using a variety of tactics, including obfuscation, and was loaded into the company’s network from Amazon S3. It was installed using a fake SSL certificate, and traffic was routed through ports 443 and 80, so it was not detected by standard security controls. Further open-source intelligence (OSINT) showed that the targeted backdoor used alternative camouflage techniques to reduce the likelihood of detection in a foreign environment.