Sophos X-Ops analysts published research this week concerning an unidentified threat actor using AI technology to develop endpoint detection and response (EDR) evasion tactics through the lens of what the company described as a “red team” post-exploitation framework. 

“The activity was detected when an anomalous endpoint registered within a customer tenant triggered alerts for payloads originating from C:\Users\User\Documents\test,” Sophos said in its blog post. “Multiple files in this directory were malicious and indicative of a broader attack framework focused on evading detection.”

Sophos analysts discovered the presence of multiple Python scripts, written in Russian and at least partially AI-generated. This is not surprising in its own right, as threat actors have been using large language model (LLM) technology to build malware and run attacks for some time now.

What is more novel is that these scripts were aligned with an automated Active Directory (AD) panel and a lab that iteratively develops and tests malware against Sophos, CrowdStrike, and Windows Defender EDR agents. Attackers would test malware against the EDR tools, collect observations, and the automated AD panel would choose the next task from a predefined list before dispatching work to remote agents and reevaluating upon the conclusion of work. 

Related:Rokarolla Android Trojan Levels Up to Full Device Control, Persistence

Threat Actors Create EDR Evasion Lab

While the AI malware development was “more limited” and used to support experimentation and coordinate workflows, the EDR lab “was a structured engineering test cycle that included human review and iteration.” In other words, Sophos saw the attackers do iterative sandboxing to create more effective malware — build, test, analyze, refine.

Further professionalizing its workflows, artifacts within the attacker’s Git repository revealed evidence that the attacker was studying vendor research to identify potential malware bypass techniques. Attackers assigned agents to study this information, extract relevant information, map identified techniques to MITRE ATT&CK techniques, prepare the lab testing environment, and test. 

The attacker testing environment used multiple virtual machines running Windows Server 2022 to emulate a red-teaming process, down to having its own dedicated control environment. “One VM tested tools to bypass the Sophos agent, one was for the CrowdStrike agent, and a third was a control environment without an EDR agent installed. A fourth VM, which ran a version of Ubuntu, was a Sliver post-exploitation framework C2 server,” Sophos said.

Related:The Invisible Battlefield: How Cyberwar Is Reshaping Everyday Life

Sophos identified multiple LLM tools the threat actor used, including AI-powered coding editor Cursor for malware development and Claude Opus as a primary model used by the attacker’s AI agents. The agents in particular were used to orchestrate and automate malware testing and also provide other functions related to operational security.

Focus On the Basics

While the blog focuses on the novel malware testing environment, Sophos said this framework was built to facilitate stealthy post-exploitation activity in target environments, and that the activity was connected to “known ransomware deployment and data theft operations.” 

Sophos notes that while there are sophisticated elements to this activity, organizations can still protect themselves via tried-and-true methods such as practicing defense-in-depth. “The fundamentals remain critical, including timely patching, multifactor authentication (MFA), modern authentication mechanisms such as passkeys, and the broad deployment of an effective EDR solution,” Sophos said.

Dark Reading contacted Sophos for additional information.





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *