Evil Vibes: EvilAI and Vibe Coded Malware

PacketWatch's Team Sixty43 profiles a threat involving EvilAI and Vibe-coded malware, complete with tactics, techniques, and procedures.

Overview

Users are still falling victim to fake software downloads, whether through ad redirects or SEO poisoning.  EvilAI is part of a massive credential-harvesting campaign that disguises itself as an application that has AI capabilities.  These are often “vibe-coded” apps ranging from manual finders to fake PDF editors to AI apps.  EvilAI targets browser credentials via the creation of a WebBrowser Profile, and extracts all session cookies/tokens, autofill data, and other data from whatever the victim interacts with while using it.  PacketWatch’s Team Sixty43 recently responded to an incident involving an EvilAI-infected host.

Attack Flow

Infection started with a Google ad for a fake AI-powered user manual finder application. Victims searching for manuals were presented with an advertisement, which is shown in the screenshot below.  This ad redirects to a domain that hosts a file, “usermanvault.msi”. Once executed, the msi file starts its malicious activity.

Figure 01: Fake user manual finder site with a prominent download button

Figure 02: A forensic collection showing the browser history of the malicious download event

Once executed, the attacker's C2 is initiated through a PowerShell script that is dropped with the malicious MSI file.

Figure 03: Malicious check-in script

After this occurs, “Webview.exe” is dropped and executed on the host and renamed “UsermanualVault.exe” (masquerading technique used to blend in with legit software). While the program launches a Microsoft Edge browser, log.premiumlicensecheck[.]com is contacted via an http GET request with a user-agent string that is the lowercase word “web”. Specifically, it reaches out to the “/up” endpoint. This anomaly is only detectable by network telemetry and is one of the highest-fidelity detection opportunities for the EvilAI campaign.

Figure 04: VirusTotal detecting the infostealer

Figure 05:  PacketWatch PCAP viewer analysis of the infostealer check-in GET request

Figure 06: Infostealer GET request to grab the second-stage loader

Intel sources state that “UsermanualVault.exe” makes a connection to validate.premiumlicensecheck[.]com for instructions to pull down a zip file.  “UserManualVault.exe” then extracts “out.exe”, a file built using Inno Setup.  Inno Setup is used by developers to create Windows installers.  EvilAI uses Inno Setup to help it bypass endpoint defenses and load malware, as “out.exe” is the infostealer loader.  When “out.exe” is executed by the “UserManualVault.exe”, it will drop “node.exe” and “list.js” (JavaScript malware payload), and then register a scheduled task named "Application Maintenance”.        

Team Sixty43 observed a simpler process flow, wherein the malware checked in and grabbed the loader without checking into “validate.premiumlicensecheck[.]com”.  It was unclear why this deviation in process flow was observed.  It could potentially be the Threat Actor changing the malware in real time or changing their infrastructure in real time.

Figure 07:  VirusTotal detecting the malicious “out.exe” binary

Figure 08: A forensic collection of amcache showing the loader “out.exe” as an installed application

Figure 09: VirusTotal detecting the JavaScript payload as EvilAI

Figure 10: A forensics collection showing the malicious scheduled task

Analysis of the malicious JavaScript file reveals it is designed to collect host fingerprint information, read Windows registries, beacon to C2, receive execution and commands, write reg keys for persistence and config storage, and detect sandbox analysis.

Through the combined visibility of EDR and PacketWatch, Team Sixty43 was able to see and validate that the malicious scheduled task “application maintenance” had “node.exe” reach out to the attacker’s C2 infrastructure app.sessioninterval[.]com over encrypted TLS.

Figure 11: Correlating EDR hunt showing the process-to-traffic of the C2

Figure 12: PacketWatch’s Full Packet Capture analysis detecting the infostealer C2 in real time (Part 1)

Figure 13: PacketWatch’s Full Packet Capture analysis detecting the infostealer C2 in real time (Part 2)

A simplified process flow is shown below:

Figure 14: Diagram of EvilAI’s process flow

Take Away

EvilAI is one of many infostealers that will continue to plague endpoints and steal data if proper defenses and monitoring are not in place. Furthermore, these attacks have high potential to escalate into bigger problems like ransomware incidents via persistence already being established, or stolen credentials/info being used to maintain initial access.

A concerning trend that Team Sixty43 has noted in incidents involving infostealers, such as EvilAI, is that many of these incidents were in public school networks.

This is most likely due to the general lack of funding for schools, with teachers and administrators often searching for freeware tools to work around budget constraints. As Team Sixty43 has noted, public schools are a prized target for Treat Actors, as their sensitive data is highly valued on the Dark Web.

Many of these networks lack advanced endpoint defenses, making network monitoring all the more critical.

While EDR is a necessary tool for protecting endpoints, it cannot monitor and validate the full story on its own.

PacketWatch’s Full-Packet Capture technology and automated threat intelligence can detect and respond to threats at the network layer in real time.

With our EDR integrations, Team Sixty43 can quickly detect, analyze, and remediate incidents with greater efficiency and effectiveness.

IOCs

• usermanualvault[.]com (Initial lure / download site)
• event[.]usermanualvault[.]com (InstallStart / InstallComplete beacon)
• open[.]usermanualvault[.]com (Decoy WebView2 page)
• apps[.]usermanualvault[.]com (Additional infrastructure)
• appactivitycounter[.]com (Affiliate tracking beacon)
• web[.]appactivitycounter[.]com (Affiliate tracking endpoint)
• log[.]premiumlicensecheck[.]com (Anti-sandbox gate)
• validate[.]premiumlicensecheck[.]com (Payload delivery)
• app[.]sessioninterval[.]com (Node payload C2)
• d2afllsn6a7l7s[.]cloudfront[.]net (CDN infrastructure)
• 513F0B96C071AECD4026FE080BC7A624BE7B8B1D04EDCA520DF62C049C14BC96 (usermanualvault.msi)
• 6384e81660b474e430857852fdc708173e76cdb4b11b972721b54dd99f071aa4 (WebView.exe)
• 70a920eea3545032b5c56a7f96e95c3087544319259490ea68be1eb1d1b21834 (out.exe)
• bd7aed21c189381cb0b106655b14fa22ae1ff80d9908672a0d1d4849c1dac447 (list)

References:

• bd7aed21c189381cb0b106655b14fa22ae1ff80d9908672a0d1d4849c1dac447 | VirusTotal - File
• 70a920eea3545032b5c56a7f96e95c3087544319259490ea68be1eb1d1b21834 | VirusTotal - File
• EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks | Trend Micro (US)
• EvilAI Update | Alert Overload
• 70a920eea3545032b5c56a7f96e95c3087544319259490ea68be1eb1d1b21834 | Triage™

This profile is provided FREE to the cybersecurity community.

Visit our Cyber Threat Profile Blog for additional profiles.

Visit our Cyber Threat Intelligence Blog for intelligence reports.

Subscribe to be notified of future intelligence profiles and reports: