Kommentare zu folgendem Beitrag: PromptLock: Erste KI-gestützte Ransomware entdeckt
Kürzlich hat man eine neue Ransomware namens PromptLock entdeckt. Die Schadsoftware erstellt Skripte mit KI in Echtzeit und führt sie direkt aus.
Kommentare zu folgendem Beitrag: PromptLock: Erste KI-gestützte Ransomware entdeckt
Das Angebot dazu:
Core encryption capabilities
- File encryption system: ChaCha20 stream cipher
targeting first 256KB (header portion) of files
• Key management: Windows CNG API for RSA public
key operations
• File marking: Appends “.enc” extension to encrypted
files
• Target selection: Enumerates all fixed drives and
network shares with prioritization of user directories
• Direct syscallinvocation: Bypasses user-mode API
hooks commonly used by EDR solutions
• Process manipulation: Reflection techniques for
stealthy DLL loading
Performance & reliability features
- Multi-threading: Custom threadpool implementation
for parallel file encryption
• Dynamic resource management: Thread count
determined based on system capability
• Error handling: Sophisticated recovery mechanisms to
prevent crashes during encryption
• Self-protection: Avoids re-infection through custom
marking techniques
Delivery & persistence mechanisms
- Reflective DLL injection: Loads malware into
legitimate processes without disk artifacts
• Code cave infection: Inserts payload into unused space
in PE executables
• Modular architecture: Components can function
independently or as integrated package
Anti-analysis & evasion techniques
- API hooking bypass:
• FreshyCalls: Extracts syscall numbers from ntdll.dll
by parsing export table
• RecycledGate: Locates existing “syscall; ret”
sequences within ntdll.dll
• String obfuscation: Hides suspicious API names and
strings from static analysis
• Anti-debugging: Techniques to detect and evade
analysis environments
Anti-recovery & impact maximization
- Shadow copy deletion: Removes Windows Volume
Shadow Copies preventing file recovery
• Targeted enumeration: Specific file extensions across
all accessible drives
• Network share targeting: Extends beyond local drives
to mapped network resources
Infrastructure components
- Decryption utility: Separate tool for ransom payment
verification and file recovery
• RSA key generation: Robust keypair generation for
each infection
• C&C integration: PHP-based victim management
console
• Tor communications: Command and control over
anonymized channels
• Evolution timeline: Our analysis identified clear
development phases showing increasing sophistication
as the actor provided continued directional prompting:
• Early development: Basic encryption and evasion
• Mid-development: Anti-analysis and recovery
prevention
• Latest development: Advanced delivery mechanisms
and command and control infrastructure
Scale and impact
- Rapid development of new variants
• Broader distribution to less technical criminal operators
• Potential for significant financial and operational
impacts across sectors
Tactics and techniques
- Developing custom Python scanning tools for
reconnaissance of „X.X.X.X“ IP ranges
• Creating sophisticated file upload fuzzing tools and
WordPress exploitation frameworks
• Optimizing credential harvesting operations using
tools like Hydra and hashcat
• Implementing privilege escalation exploits including
Linux kernel vulnerabilities
• Building proxy chain configurations for operational
security
• Analyzing reconnaissance data and planning lateral
movement strategies
The actor integrated Claude as an assistant across 12 of
14 MITRE ATT&CK tactics, using it as technical advisor,
code developer, security analyst, and operational
consultant throughout their campaign.
1 „Gefällt mir“