Date: 06/02/2025
Severity: High
Summary
The team uncovered new threats posing as AI tool installers: CyberLock, Lucky_Gh0$t, and a destructive malware dubbed "Numero." CyberLock, built with PowerShell, encrypts files and falsely claims ransom payments support humanitarian causes. Lucky_Gh0$t is a minor variant of Yashma ransomware, part of the Chaos family. Numero disrupts victims by corrupting the Windows GUI, rendering systems unusable.
Indicators of Compromise (IOC) List
Hash : | 507103bf93e50a8b7b2944c402f1403402e2f607930fa7822bb64236c1fba23a
07d73f4822549af4ec61d16ed366133dae1733ce1d6ad0a27fc80c94956abc51
e1c4603d8354bb53e9ba93b860db6ae853d64bce0fe25a37033bfe260ea63f23
e019c6f094965c3bccc0a7ba09bfb09c4ff7059795da5b66b6e7a7c0ac8ef7ef
25f863c6190b727c45b762b70091a8d8f6cb98ff44db05044ba76a46d3c17a3d
6ccaef03dcab293d23494070aacfd4b94d7defd14af39dc543f2f551846e9d50
7de095a011a3dcd48f806dcb6a48d5262e06bec2d63d828b85436f79c83bcd70
2381929126d3eb17402d77103f6e07a272a6fad54ec64225a6d5e1f31ff057ac
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Hash : | sha256hash IN ("25f863c6190b727c45b762b70091a8d8f6cb98ff44db05044ba76a46d3c17a3d","e019c6f094965c3bccc0a7ba09bfb09c4ff7059795da5b66b6e7a7c0ac8ef7ef","507103bf93e50a8b7b2944c402f1403402e2f607930fa7822bb64236c1fba23a","6ccaef03dcab293d23494070aacfd4b94d7defd14af39dc543f2f551846e9d50","e1c4603d8354bb53e9ba93b860db6ae853d64bce0fe25a37033bfe260ea63f23","07d73f4822549af4ec61d16ed366133dae1733ce1d6ad0a27fc80c94956abc51","7de095a011a3dcd48f806dcb6a48d5262e06bec2d63d828b85436f79c83bcd70","2381929126d3eb17402d77103f6e07a272a6fad54ec64225a6d5e1f31ff057ac")
|
Reference:
https://blog.talosintelligence.com/fake-ai-tool-installers/