A new malware strain called Slopoly, exhibiting strong signs of generative AI assistance in its development, was used in an Interlock ransomware attack that allowed threat actors to maintain server access for over a week while exfiltrating data. The intrusion began with a ClickFix social engineering lure, culminating in the deployment of a PowerShell-based backdoor acting as a command-and-control client. IBM X-Force researchers attributed the financially motivated operation to a group tracked as Hive0163, whose primary objective involves extortion through large-scale data theft and encryption.
The Slopoly script contained extensive commentary, structured logging, error handling, and clearly named variables—characteristics rarely found in human-developed malware but consistent with AI-generated code. Despite being described internally as a "Polymorphic C2 Persistence Client," the malware lacks true polymorphism, though its builder can generate variants with randomized configurations and function names. The backdoor establishes persistence through a scheduled task named "Runtime Broker" and maintains communication with command-and-control servers through heartbeat beacons and command polling.
Slopoly's capabilities include system information collection, executing received commands via cmd.exe, and downloading additional EXE, DLL, or JavaScript payloads. The observed attack chain also featured NodeSnake and InterlockRAT backdoors alongside Slopoly. Interlock ransomware, which emerged in 2024, has previously targeted high-profile organizations including Texas Tech University System, DaVita, Kettering Health, and Saint Paul, Minnesota. The ransomware payload uses Windows Restart Manager API to unlock files before encrypting them with '.!NT3RLOCK' or '.int3R1Ock' extensions. IBM notes potential associations between Hive0163 and developers behind Broomstick, SocksShell, PortStarter, SystemBC, and Rhysida ransomware operations.
Read more...