Hive0163 Uses AI-Assisted Slopoly Malware for Persistent Access in Ransomware Attacks

Key Points:

• Hive0163, a financially motivated threat actor, is utilizing AI-assisted malware named Slopoly for persistent access during ransomware attacks.
• The malware allows Hive0163 to maintain access to compromised servers for over a week, leveraging a PowerShell script that establishes persistence via a scheduled task and communicates with a command-and-control server.
• Organizations should implement robust security measures, including monitoring for unusual PowerShell activity, employing endpoint detection and response (EDR) tools, and educating users on social engineering tactics to mitigate risks.

Technical Details: Slopoly operates as a backdoor that sends heartbeat messages to its C2 server every 30 seconds and polls for commands every 50 seconds. The attack utilized the ClickFix social engineering tactic to execute the initial PowerShell command.

MITRE ATT&CK Techniques:

• T1059.001 - Command and Scripting Interpreter: PowerShell (Execution)
• T1547.001 - Boot or Logon Autostart Execution: Scheduled Task (Persistence)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1566.001 - Phishing: Spearphishing Attachment (Initial Access)

IOCs Mentioned: None mentioned