New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis

Key Points:

• A new Rust-based macOS malware, codenamed Gaslight, has been identified, featuring a prompt injection payload designed to disrupt AI-assisted malware analysis.
• The malware, attributed to North Korean threat actors, uses a Telegram bot for command-and-control and can gather extensive system information while employing deceptive messages to confuse detection tools.
• Recommended actions include monitoring for unusual LaunchAgent entries, implementing strict network controls to block unauthorized C2 communications, and enhancing AI detection capabilities to recognize prompt injection tactics.

Technical Details: Gaslight utilizes a Telegram bot API for C2 communication and embeds a Base64-encoded Python script for data exfiltration. It achieves persistence through a LaunchAgent labeled "com.apple.system.services.activity."

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1053.001 - Scheduled Task/Job: LaunchAgent (Persistence)
• T1041 - Exfiltration Over Command and Control Channel (Exfiltration)

IOCs Mentioned: None mentioned