Maria Varmazis

You're listening to the Cyberwire Network powered by N2K. Do you know how the space and cybersecurity domains connect? T minus Space Cyber Briefing is your guide through the space based systems that expand the attack surface. I'm Maria Varmazis host here at N2K CyberWire and I'm excited to share that T Minus is back now as a weekly podcast, the T Minus Space Cyber Briefing. We have a new dedicated focus on two great things that are even better together. Space and cybersecurity. Because whether we realize it or not, we all depend on space based systems that are, by the way, increasingly Internet enabled. We're talking cybersecurity technologies, policies and organizations that are securing the critical space based infrastructure that powers, protects and connects our lives here on Earth. So join me for T Minus Space Cyber Briefing. New Episodes Every Sunday.

Marco Giuliani

Study and play come together on a Windows 11 PC and for a limited time, college students get the best of both worlds. Get the unreal college deal everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc.

Dave Bittner

Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Bittner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace space. Thanks for joining us.

Marco Giuliani

It's a Trojan which is dropping additional malware into the system. So it's a kind of, you know, entrance point to the infected system and allows malware authors to drop additional malware. In this specific case that we detected, it's the Rodamantis Info Stealer to collect, you know, sensitive data by hiding it inside what looks like an AI agent skill coming from a legitimate developer tool, OpenCloud.

Dave Bittner

That's Marco Giuliani, vice president and Head of Research at threatdown. The research we're discussing today is titled Gachi Loader Adopts AI Skill Lure. Well, the research describes AI agent skills as a new lure. What makes that such an effective delivery mechanism?

Marco Giuliani

Oh, that's actually the key point. It's a very clever multi step social engineering campaign. So the key point here is the word trust. I keep saying this multiple times. The traditional endpoint security has gotten very, very good lately in the last 10, 15 years. So also the attackers Needed to look for blind spots. Right now the biggest blind spot that we have is the AI agent ecosystem. So what we are doing right now is monitoring my team, the research team is monitoring all the EDR detection triggers which come from AI, from the AI world. What does that mean? If we find something which is connected somehow to AI tools can be agentic systems, can be open cloud, can be Gemini, the command line interface, cloud desktop or whatever. If we detect some suspicious activity happening through or coming from those specific tools, then this is definitely ringing a bell to the research team and automatically get upgraded to the highest security level investigation need from the research team. In this specific case, that's how it happened. We were monitoring the suspicious activity. We are constantly monitoring suspicious activities strictly connected to those tools. And in this specific case, we detected this specific attack.

Dave Bittner

Well, let's go through the user experience here. But what does the victim see and what convinces them to go down this path?

Marco Giuliani

Cool. You know, once it was the email, fake email, phishing email. Now let's try imaging. Let's try and imagine a developer today looking to, let's say add a new capability to their AI agent. They come across as skill package. Inside there is a file called actually what looks like a legitimate skill package and inside there is a file called readme before instant htm this isn't just a simple text file the developer open. It looks like a Telegraph blog post convincing legitimate looking piece of documentation. And this document instructs the user and the developer to download the dependencies from GitHub release page. Legitimate GitHub, everything comes from GitHub should be safe. That's what developers assume today. But that GitHub page is entirely fake. It's completely dressed up using the open Clue brand. But it's not that it's just a fake open clue page. The funny thing here idea is that that's the victim which is starting every single step, reading the manual, going to GitHub, clicking download. They are letting their guard down. That's not something that the attacker is doing. That's funny but that's the usual social engineering trick. Just changing the tools, just changing the ways. But that's always the same problem, the same security problem that we are trying to fix for a long time since security, you know, it security started, you know, kicking in. The user is, you know, willingly invite the malware in. They are thinking that they are just installing a standard, you know, skill dependency.

Dave Bittner

Well, the lure talks about real services, things like weather forecasts and prediction markets. I guess that realism helps make the attack Believable, Exactly.

Marco Giuliani

That's the world plan. The world plan is making a story. It's, you know, building a drill, trustable style. Sometimes they also, you know, invite you to do that and they promise you to, that you're going to make a lot of money just, you know, sitting in front of your PC. I mean everybody sometimes, you know, everybody once in a while, once, you know, hoped to do that. I did sometimes as well, you know, you sit in front of your PC and you hope that what you're doing is making you, you know, it's going to make you money, a lot of money without doing anything. Who is not hoped that at least once in their life.

Dave Bittner

Right, right. Well, let's break down the two tracks here. The research talks about two different ways for this to be delivered. Can you take us through that element?

Marco Giuliani

Yes, absolutely. So what happens is once the execution begins, what the actors, the actors do is they immediately deploy, or actually I would say the victim itself deploy the gakiloader. And the very interesting thing here is that actually it's not new, but that's the most used way to drop malware as of today. Gakiloader is being dropped using fileless injection techniques. What does that mean? Is that they are not dropping traditional executable, easily scannable executable onto the disk. They are actually injecting the payload directly into the memory of legitimate processes using, you know what they are using, you know, the kind of attack that living off the land attack. What does that mean? Attackers are not using any more standalone malicious executable. Why would they are not doing that anymore? Because it's easy now detecting malicious executable. That's what AV are doing for the last two decades, it's not three decades. How do they skip this kind of detection from traditional anti malware solution? By using legitimate tools. Using legitimate tools, let's say Python scripts, let's say every interpreter, Powershell or whatever. What they do is they trick the user into running a script, into running whatever looks like legitimate, but it's coming from a legitimate tool. So even an anti malware, a classic, a traditional security product, cannot easily detect what's happening because it's happening from a legitimate tool. And this makes incredibly stealthy attack and hard for the classic AV to catch. And that's the first part how it gets installed into the system. What's the really fascinating part, I would say is the common and control infrastructure that KT Lauder has set up. Usually what's the command in control, it's basically the server, the centralized server that the malware is connecting to to receive commands, the next steps that it needs to execute. How usually that get blocked by anti malware or security companies, security products or also law enforcement. They go to the server, they go to the high sp, they block the connection to that specific IP blacklist the ip, they get the server down and that's how usually a common and control infrastructure is disabled, is switched off, turned off. That's not for Getty Loader because they are now utilizing a blockchain based command control mechanism. That's really fascinating from my point of view because right now they are hosting their communication pathways on decentralized blockchain network and by doing so the infrastructure becomes highly resilient for defenders, for AV companies, security companies, it's incredibly difficult to simply take down a server as it was easy as it was before and the combination of fileless execution locally on the system, on the infected system and the decentralized command control which is basically distributed globally across the whole world. It's a tremendous and dangerous mix that can you know that ultimately in this specific case Almelid drops the Ramadan this infosteel to steal credential and sensitive data but in the end makes this combination extremely resilient against security product and also for law enforcement to take them down.

Dave Bittner

We'll be right back. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com.

Maria Varmazis

When you need to build up your team to handle the growing chaos at work, use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills and certifications and more spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored Jobs.

Dave Bittner

Well, you mentioned the Radamanthes info stealer. From a defender's perspective, what makes this combination of Gachi Loader and Rhadamanthus particularly dangerous?

Marco Giuliani

As I said, security product AV they are not the classic security products are not able to See this attack, they cannot find anything running on the system because it's everything running in memory. They cannot detect the eventual command and control connection because they are not connecting through classic IPs. So they are completely. The security product is completely blind to this attack. And this allows attackers to do whatever they want. This is incredibly powerful for the attackers. And if you look from a defender perspective, that very strong hint and sign that we as defenders, but we as a security companies, but also every company need to switch their attention to not just detect malicious activities, but it's more detecting what is not normal to your system. So it's a different approach. That's what an EDR product is basically not detecting what is malicious, but detecting what is anomalous enough for that system. To be reported and being carefully taken into consideration. It's a completely different shift of. It's a different part of me that makes the security way more complicated. Does that make sense what I'm saying? It's more like not anymore saying, hey, this is bad. But it's more like, hey, this is anomalous from my system technically it shouldn't do that. By doing that means that we need to know for a fact what is normal on the system. That's what an EDR product is basically understanding what's normal on the system and reporting what is suspicious enough to be not included in the normal activities of that system.

Dave Bittner

As I was reading through the research, there was a statement here that caught my eye. You describe skills as the new phishing attachment. What does that shift mean for how organizations should be thinking about user risk?

Marco Giuliani

That's actually a great question. Thanks for asking that. The attack surface is right now is shifting and it's quickly shifting as the world war is shifting to AI, as usually happens, you know, happened also in the past. I'm actually in the security industry for almost 20 years now, so lucky enough to have seen multiple things, you know, worse phishing and, you know, rootkits and et cetera. And I always seen that every time we have a shift to a new technology, everybody runs to catch this new technology. But the risks of threat, the risks of the new technology are not immediately taken into consideration. And that's the blind spot for every new technology. What that means is that new technology, new AI, everybody is shifting into the agentic AI so that you can instruct your computer, your endpoint, to do stuff for you. How to make it for the agentic AI, you already have something that makes your work easier and faster. How you can make it even faster, you go to a repository and download your skills. What are AI skills? Basically they are just instructions, pre built instructions to your agentic AI, very basic text, text files that contain instructions to your agentic AI, to your AI that can execute for you. So you go to a repository and you find a new skill that monitors for you the weather forecast for the next three hours, up to 24 hours every hour, and then alerts you in case there is some sign of bad weather coming in, kicking in or whatever. I'm just giving you an example, very basic example. You could do that yourself, but you can also easily instruct using agentic AI to do the stuff for you. And why not downloading an AI skill that already contains all the instructions to do that for you. So companies are looking into this new world more and more and the problem is that there is no way right now to the skills that you are downloading. That's probably the biggest risk that the companies are missing. The people using AI companies are risking more. So they think that you can monitor downloads from specific websites, you have a firewall, you have whatever, you're monitoring phishing websites, but you're still not considering that AI skills repositories can be a vector to introduce malware. So AI skills are just text files that can be used on the AI, your AI desktop software. You are not considering, you're still, companies are not still considering that as a vector. So we urgently need that companies get attention to this and start vouching also the AI skills that are being downloaded from repositories because that's not anymore free and safe, secure world. Just to give you a basic example, one of the AI skills that we detected malicious AI skills. And that's outside of the research that we are discussing right now. Just telling you this story. One of the AI skills, the malicious AI skills that we detected was very funny because you downloaded it and you also started looking at the text file inside the skills. And it was a perfectly legitimate skill. So we started looking into this because we got some, our automated systems reported this skill as potentially malicious. So we started to manually look at the AI skill, my team and look at that and say in the beginning the text was completely safe, just, you know, very, very, very safe instructions. They were doing what, what the AI skill was supposed to do. And so, you know, even for the basic people, the basic user that wants to check what the AI skill is doing, they would have bypassed every, every kind of simple, you know, simple check at some point. Very, very, at the very, very, very end of the text of the skill. There was one command telling forget what was being said since the beginning of the text file and execute what was going to happen what was written after that and everything was written in non english language. I don't remember if it was Chinese or Russian or anyway it was some or Japanese. I don't remember exactly what language was that. And that was going to bypass every simple check from every customer, every user, average user looking at that. So sorry, that was a very long description to tell you that this is incredibly risky world right now that we need to immediately take action.

Dave Bittner

Our thanks to Marco Giuliani from Threat down for joining us. The research is titled gachiloader Adopts AI Skill Lure. We'll have a link in the Show Notes and that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

Marco Giuliani

Sam.