A newly uncovered malware campaign is combining ClickFix delivery with AI generated evasion techniques to steal enterprise user accounts and passwords.

The attacks are designed to provide intruders with persistent, credential-stealing access to networks, complete with a hidden mechanism which enables the malware to reactivate itself following an attempted removal.

The DeepLoad malware campaign has been detailed by cybersecurity researchers at ReliaQuest, who, on March 30, warned that it represents an “immediate” threat to businesses.

DeepLoad appears to have first emerged on dark web marketplaces in February, originally focused on stealing cryptocurrency wallets. The additional focus on enterprise credentials suggests the malware’s targeting has become more wide-ranging.

As part of the campaign, the attackers’ harness ClickFix, a social engineering technique which tricks users into running malicious commands on their own machines.

Researchers believe that it is likely that the attacks begin with links or files delivered by malicious websites.

“We have moderate to high confidence that this activity was more likely initiated via a compromised website or SEO-poisoned search result, potentially while the user was researching or downloading something work-related” a ReliaQuest researcher told Infosecurity.

AI-Assisted Code Compiling

To enhance evasion techniques, DeepLoad’s functional, malicious payload is buried deep within meaningless variable assignments within the code, making it difficult for file-based scanning tools to identify and flag.

The large amount of code in this layer of obfuscation points towards development using AI to assist in its generation.

“The sheer volume of padding likely rules out a human author. Template-based tools are possible, but the quality and consistency we observed likely point to AI. If so, what once may have taken days to build could probably be produced in an afternoon,” said ReliaQuest.

This use of AI also suggests that the attackers could regularly alter the variable assignments, making it even harder for DeepLoad delivery to be detected in future.

“Organizations should expect frequent updates to the malware and less time to adapt detection coverage between waves,” researchers wrote.

DeepLoad is also designed to blend into regular Windows activity, by hiding inside a Windows lock screen process, an area which isn’t regularly scanned by security tools, making endpoint compromise harder to spot.

This also enables DeepLoad to employ a hidden persistence mechanism which abuses Windows Management Instrumentation (WMI), which in the event of the initial payload being detected and removed, re-infects the machine three days later, re-establishing the ability to steal passwords and session tokens.

Researchers noted that there’s also evidence of DeepLoad propagating itself to USB drives, which in turn could transfer the malware to new victims.

To defend against DeepLoad, it’s recommended that network administrators enable PowerShell Script Block Logging, audit WMI subscriptions on exposed hosts, and in the event of infection, alter the passwords of the user.

“DeepLoad will adapt as defenders close gaps, so coverage needs to be behavior-based, durable, and built for fast iteration,” said ReliaQuest.