Cybercriminals are increasingly exploiting the growing popularity of artificial intelligence tools by distributing sophisticated malware disguised as legitimate AI solution installers.<\/p>\n
This emerging threat landscape has seen malicious actors create convincing replicas of popular AI platforms, using these deceptive packages to deploy devastating ransomware and destructive malware onto unsuspecting victims\u2019 systems.<\/p>\n
The proliferation of AI across various business sectors has created an attractive attack vector for threat actors who employ sophisticated techniques including search engine optimization poisoning to manipulate search rankings.<\/p>\n
These malicious campaigns<\/a> cause fraudulent websites and download links to appear prominently in search results, effectively deceiving businesses and individuals seeking genuine AI solutions.<\/p>\n The attackers distribute their weaponized installers through multiple channels including Telegram, social media platforms<\/a>, and professionally designed fake websites that closely mirror legitimate AI service providers.<\/p>\n Cisco Talos researchers identified<\/a> multiple distinct threats masquerading as AI solutions currently circulating in the wild, including the CyberLock and Lucky_Gh0$t ransomware families, along with a newly discovered destructive malware dubbed \u201cNumero.\u201d<\/p>\n These threats specifically target industries where AI tools<\/a> are particularly popular, including business-to-business sales domains and technology and marketing sectors, indicating that organizations in these verticals face heightened risk exposure.<\/p>\n The scope of this threat extends beyond simple file encryption, with some variants exhibiting purely destructive behavior designed to render infected systems completely unusable.<\/p>\n The legitimate AI tools being impersonated are widely recognized platforms with substantial user bases, making the deception particularly effective against potential victims who may lower their guard when downloading what appears to be software from trusted sources.<\/p>\n The CyberLock ransomware exemplifies the sophisticated technical approach employed by these AI-impersonating threats.<\/p>\n The malware operates through a multi-stage deployment process that begins with a .NET executable loader containing embedded PowerShell<\/a> scripts as resource files.<\/p>\n When victims execute the seemingly legitimate \u201cNovaLeadsAI.exe\u201d installer, the loader extracts and deploys the ransomware payload using the following code structure:-<\/p>\n The PowerShell-based ransomware immediately conceals its presence by hiding the console window through Windows API<\/a> calls to GetConsoleWindow and ShowWindow functions.<\/p>\n CyberLock demonstrates advanced capabilities including privilege escalation, where it automatically re-executes itself with administrative rights if not already running in an elevated context.<\/p>\n The malware targets an extensive range of file types across logical partitions C:, D:, and E:, encrypting files using AES encryption while appending the \u201c.Cyberlock\u201d extension.<\/p>\n After completing the encryption process, CyberLock employs the built-in Windows cipher.exe utility with the \u201c\/w\u201d option to securely wipe free disk space, effectively hindering forensic recovery efforts and eliminating traces of the original unencrypted files.<\/p>\n Celebrate 9 years of ANY.RUN!\u00a0Unlock the full power of<\/strong>\u00a0TI Lookup plan (100\/300\/600\/1,000+ search requests),\u00a0and\u00a0your request quota will double<\/a>.<\/strong><\/p>\n The post Beware of Weaponized AI Tool Installers That Infect Your Devices With Ransomware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEinDlf9Ec9L0UShSTx1f3EzWiYNzq6a3ozN3MfJloKla9vi49s5KkBtUsXUpNAK53Jrm79YBoCzGGX63pFeMb9L1U26SqQp7oL8hbfqO8W1a5VV4_uVj43TQgjdqAonZo4ReP580PtSdHLezN9EgETOh2laFsWgjojbDhnTUwCKWP801k2m-VAgOh1Q24E\/s16000\/Fake%2520website%2520advertising%2520the%2520AI%2520tool%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhhK4_GKnfXLnKQs8CPxPLzyLJDqp7x91cB437dy4686j51MsRCSQIM6mNLNgbOuQsLfNOVLBsn6t1K9fEKU_0cerQt7bDvLboVe5nA3I5nRcyGBSsgaZvKHXHMoAbUWLnU-esJp2BlbmadATm1D6hwhyaRczVT42aV3kdpYn44Y_KbpxfnteSEBkPu2oQ\/s16000\/A%2520fake%2520installer%2520execution%2520flow%2520running%2520the%2520payload%2520Numero%2520%28Source%2520-%2520CIsco%2520Talos%29.webp?ssl=1\")
CyberLock Ransomware Deployment Mechanism<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhq_ZCVL66ks5UebnZzC9a7RHKMKc_0-1AFErZAQjvV-T_8EItJ9I7pcaFZ4fvQTUZS_Zz4vFm1bLEbU-Hk9nQwEto7V35Ch3KPqh7enerXZ2ROYbUO_zcxGnLHO6aggQK2iIddw0psIgxYfSxBqHjtHiVAei3mT3K4HFsJBSPZ-cszgY6Bty16GpcEgxs\/s16000\/CyberLock%2520ransom%2520note%2520%28Source%2520-%2520Cisco%2520Talos%29.webp?ssl=1\")
Assembly executingAssembly = Assembly.GetExecutingAssembly();\nusing (Stream manifestResourceStream = executingAssembly.GetManifestResourceStream(\"NovaLeadsAI.ps1\"))\n using (StreamReader streamReader = new StreamReader(manifestResourceStream, Encoding.UTF8))\n string text4 = streamReader.ReadToEnd();<\/code><\/pre>\n