Cybersecurity experts at Check Point have discovered a new malware program called AppSuite, which threat actors are leveraging to compromise corporations around the globe. AppSuite pretends to be widely accepted, regular artificial intelligence tools and software, so it can more easily sneak into systems unnoticed. The Canadian cybersecurity firm G GATA found AppSuite as part of its massive AppSuite campaign. This new campaign is linked to other well known malware programs like OneStart and ManualFinder.
The campaign capitalizes on shared server infrastructure to distribute and configure these malicious programs. In particular, analysts have found that the same threat actors are behind all three families of malware. They have defined AppSuite as a member of the BaoLoader malware family.
Deceptive Tactics Employed by Threat Actors
AppSuite’s developers have used at least 26 different code-signing certificates over the past seven years. This approach further boosts the legitimacy of their research software. These certificates have been issued to companies, such as those from countries as disparate as Panama and Malaysia. This tactic lets the malware sidestep detection by various security protections that usually catch unsigned or shady-looking software.
Researchers want to make it clear that AppSuite isn’t a one-off. The swift and widespread distribution of this malware across multiple regions suggests it is part of an evolving campaign targeting both corporate and personal environments.
“This swift, widespread distribution across multiple regions strongly indicates that EvilAI is not an isolated incident but rather an active and evolving campaign currently circulating in the wild,” – security researchers Jeffrey Francis Bonaobra, Joshua Aquino, Emmanuel Panopio, Emmanuel Roll, Joshua Lijandro Tsang, Armando Nathaniel Pedragoza, Melvin Singwa, Mohammed Malubay, and Marco Dela Vega.
Trend Micro has joined in sounding alarms about the scammy nature of AppSuite. It hides under the cover of productivity and AI-powered technology. With similarly professional-looking interfaces, it fools users and security detection tools, making it difficult to distinguish between legitimate software and malware.
“EvilAI disguises itself as productivity or AI-enhanced tools, with professional-looking interfaces and valid digital signatures that make it difficult for users and security tools to distinguish it from legitimate software,” – Trend Micro.
The Broader Malware Landscape
GATA has determined that AppSuite, along with OneStart and ManualFinder, is part of a larger campaign aimed at distributing malware. Security researchers have been noticing similarities between these programs and something like TamperedChef. The challenge is that each program operates under specific behavioral norms and varying certificate adoption.
Dozens of different code-signing publishers are associated with dozens of different AppSuite samples. This indicates the presence of a common malware-as-a-service provider or more likely a code-signing marketplace that allows for such large-scale distribution. This serves to highlight the advanced techniques used by cybercriminals to further their operations.
“TamperedChef used code-signing certificates issued to companies in Ukraine and Great Britain while BaoLoader consistently used certificates from Panama and Malaysia,” – Trend Micro.
Additionally, the AppSuite campaigns have been associated with developers known to have used malicious code-signing certificates for PDF Editor campaigns in the past. This troubling trend marks the latest in a continued attempt to abuse consumers’ trust in seemingly benign apps.
Impacts on Security and Data Protection
AppSuite and its related apps are intended to be used to create hidden command-and-control networks on remote servers. This capability allows a remote attacker to issue commands to help steal valuable data from infected machines. The data security implications here are serious, particularly for all those organizations that could inadvertently install these malevolent toolbars.
Field Effect underscored this point by noting that threat actors are always changing their delivery methods. Now, They Are Weaponizing PUPs and Abusing Digital Code Signing. NeutralinoJS also runs untrusted JavaScript payloads, allowing arbitrary user–created programs to call native system APIs. This combination provides hidden file system access and covert ability to communicate over the network.
“The TamperedChef campaign illustrates how threat actors are evolving their delivery mechanisms by weaponizing potentially unwanted applications, abusing digital code signing, and deploying covert encoding techniques,” – Field Effect.
Security researchers will be keeping a close eye on the behavior and impact of AppSuite and similar malware as they develop and evolve. They do an amazing job shining a light on our ever-evolving cyber threat environment. Their mission is to provide organizations with the intelligence they require to proactively protect themselves from these attacks.