AI-Powered Slopoly Malware Drives Interlock Ransomware Attack

A recent cybersecurity incident reveals a concerning trend: threat actors are now leveraging generative artificial intelligence to craft custom malware. In a detailed analysis, security experts uncovered a new backdoor, named Slopoly, which was deployed during an Interlock ransomware attack. The malware’s code exhibits clear hallmarks of AI-assisted development, suggesting cybercriminals are using these tools to accelerate their operations and potentially evade traditional detection methods.

The attack began with a ClickFix social engineering ruse, a technique where victims are tricked into downloading malicious software disguised as a fix for a common computer problem. After establishing initial access, the attackers deployed the Slopoly backdoor as a PowerShell script. This script functioned as a client for a command-and-control framework, allowing the hackers to maintain a persistent presence on the compromised server for over a week while they exfiltrated sensitive data.

IBM X-Force researchers, who analyzed the breach, found strong evidence that the Slopoly script was generated by a large language model. While they couldn’t pinpoint the exact AI tool used, the code’s characteristics were telling. It contained extensive commentary, structured logging, and clearly named variables, features that are highly unusual in human-written malware, which typically favors obfuscation and brevity. The researchers attributed the attack to a financially motivated group they track as Hive0163, a team focused on large-scale data theft and extortion through ransomware.

Despite its AI origins, the Slopoly malware is considered relatively unsophisticated. Its code includes a description labeling it as a “Polymorphic C2 Persistence Client,” but investigators found it lacked any true polymorphic capabilities, meaning it cannot modify its own code during execution. Instead, it appears to be generated by a builder that can create new client versions with randomized configuration details, a common practice among malware development kits. The script’s main functions are straightforward: it collects system information, sends regular heartbeat beacons to a command server, polls for instructions, executes received commands, and maintains persistence on the infected machine through a scheduled task.

The broader attack chain involved multiple malicious components. Alongside Slopoly, the threat actors deployed other backdoors like NodeSnake and InterlockRAT. The final payload was the Interlock ransomware, a 64-bit executable delivered via a loader called JunkFiction. This ransomware uses the Windows Restart Manager API to handle locked files before encrypting them and appending distinctive extensions like ‘. !NT3RLOCK’ to the victims’ data.

The emergence of Interlock in 2024 marked it as an early adopter of the ClickFix technique, and the group behind it, Hive0163, has claimed responsibility for attacks against several high-profile organizations. These include the Texas Tech University System, healthcare providers like DaVita and Kettering Health, and the city of Saint Paul, Minnesota. Security analysts also note potential links between this group and developers associated with other known malware families, including Broomstick, SocksShell, and the operators of the Rhysida ransomware.

This incident underscores a significant shift in the cyber threat landscape. While the Slopoly malware itself may not be advanced, its AI-assisted creation signals that ransomware operators are actively integrating these tools into their workflows. This adoption lowers the barrier to entry for developing custom malware, enabling faster iteration and potentially more effective evasion of security software, posing new challenges for defenders.

(Source: Bleeping Computer)