PacketWatch's Team Sixty43 profiles a threat involving EvilAI and Vibe-coded malware, complete with tactics, techniques, and procedures.
Users are still falling victim to fake software downloads, whether through ad redirects or SEO poisoning. EvilAI is part of a massive credential-harvesting campaign that disguises itself as an application that has AI capabilities. These are often “vibe-coded” apps ranging from manual finders to fake PDF editors to AI apps. EvilAI targets browser credentials via the creation of a WebBrowser Profile, and extracts all session cookies/tokens, autofill data, and other data from whatever the victim interacts with while using it. PacketWatch’s Team Sixty43 recently responded to an incident involving an EvilAI-infected host.
Infection started with a Google ad for a fake AI-powered user manual finder application. Victims searching for manuals were presented with an advertisement, which is shown in the screenshot below. This ad redirects to a domain that hosts a file, “usermanvault.msi”. Once executed, the msi file starts its malicious activity.
Figure 02: A forensic collection showing the browser history of the malicious download event
Once executed, the attacker's C2 is initiated through a PowerShell script that is dropped with the malicious MSI file.
After this occurs, “Webview.exe” is dropped and executed on the host and renamed “UsermanualVault.exe” (masquerading technique used to blend in with legit software). While the program launches a Microsoft Edge browser, log.premiumlicensecheck[.]com is contacted via an http GET request with a user-agent string that is the lowercase word “web”. Specifically, it reaches out to the “/up” endpoint. This anomaly is only detectable by network telemetry and is one of the highest-fidelity detection opportunities for the EvilAI campaign.
Intel sources state that “UsermanualVault.exe” makes a connection to validate.premiumlicensecheck[.]com for instructions to pull down a zip file. “UserManualVault.exe” then extracts “out.exe”, a file built using Inno Setup. Inno Setup is used by developers to create Windows installers. EvilAI uses Inno Setup to help it bypass endpoint defenses and load malware, as “out.exe” is the infostealer loader. When “out.exe” is executed by the “UserManualVault.exe”, it will drop “node.exe” and “list.js” (JavaScript malware payload), and then register a scheduled task named "Application Maintenance”.
Team Sixty43 observed a simpler process flow, wherein the malware checked in and grabbed the loader without checking into “validate.premiumlicensecheck[.]com”. It was unclear why this deviation in process flow was observed. It could potentially be the Threat Actor changing the malware in real time or changing their infrastructure in real time.
Analysis of the malicious JavaScript file reveals it is designed to collect host fingerprint information, read Windows registries, beacon to C2, receive execution and commands, write reg keys for persistence and config storage, and detect sandbox analysis.
Through the combined visibility of EDR and PacketWatch, Team Sixty43 was able to see and validate that the malicious scheduled task “application maintenance” had “node.exe” reach out to the attacker’s C2 infrastructure app.sessioninterval[.]com over encrypted TLS.
A simplified process flow is shown below:
EvilAI is one of many infostealers that will continue to plague endpoints and steal data if proper defenses and monitoring are not in place. Furthermore, these attacks have high potential to escalate into bigger problems like ransomware incidents via persistence already being established, or stolen credentials/info being used to maintain initial access.
A concerning trend that Team Sixty43 has noted in incidents involving infostealers, such as EvilAI, is that many of these incidents were in public school networks.
This is most likely due to the general lack of funding for schools, with teachers and administrators often searching for freeware tools to work around budget constraints. As Team Sixty43 has noted, public schools are a prized target for Treat Actors, as their sensitive data is highly valued on the Dark Web.
Many of these networks lack advanced endpoint defenses, making network monitoring all the more critical.
While EDR is a necessary tool for protecting endpoints, it cannot monitor and validate the full story on its own.
PacketWatch’s Full-Packet Capture technology and automated threat intelligence can detect and respond to threats at the network layer in real time.
With our EDR integrations, Team Sixty43 can quickly detect, analyze, and remediate incidents with greater efficiency and effectiveness.
Jon Ingram
This profile is provided FREE to the cybersecurity community.
Visit our Cyber Threat Profile Blog for additional profiles.
Visit our Cyber Threat Intelligence Blog for intelligence reports.
Subscribe to be notified of future intelligence profiles and reports: