A deceptive website mimicking an official Anthropic Claude domain has been identified as distributing a remote access trojan (RAT) to unsuspecting users, according to a report from Malwarebytes. This development leverages the growing popularity of Claude to trick users into downloading malicious software.
Trojan Deployment via Fake Downloads
The malicious site entices visitors with the promise of a pro version of the large language model (LLM), offering a download link that leads to a ZIP file. This archive contains an MSI installer designed to resemble the authentic Anthropic installation process, even installing the legitimate Claude application as part of its execution.
However, upon launching the application using the desktop shortcut, a hidden VBScript executes. This script runs the genuine app visibly while covertly installing malware in the background. The VBScript deposits three files into the system’s startup folder, one of which is NOVUpdate.exe. This executable, a signed G DATA antivirus updater, is exploited for DLL sideloading, facilitating the deployment of a PlugX malware variant.
Malware Persistence and Execution
PlugX, a well-known RAT employed in espionage campaigns for almost a decade, is activated shortly after installation. NOVUpdate.exe establishes a TCP connection with its command-and-control infrastructure hosted on Alibaba Cloud. To conceal its presence, the VBScript also generates a batch file that deletes itself and the script post-execution, effectively removing traces of the infection.
The malware’s persistence is limited to the sideloading files within the startup folder and the NOVUpdate.exe process, which remain as the sole indicators on the compromised system. Malwarebytes highlights that the script uses an ‘On Error Resume Next’ statement to suppress errors, preventing any warning dialogs that might alert the user.
Exploiting AI Popularity for Cyber Attacks
This infection strategy was previously observed in a February phishing campaign that utilized fake meeting invitations to distribute PlugX malware. Despite PlugX’s historical ties to Chinese espionage groups, the dissemination of its source code has muddled attribution efforts, as noted by Malwarebytes.
The attackers in this campaign effectively marry a proven sideloading method with a timely social engineering tactic, capitalizing on the rising interest in AI tools to deceive users into executing a compromised installer. This underscores the ongoing challenges in cybersecurity, where rapidly evolving technologies are frequently exploited for malicious purposes.
The cybersecurity community remains vigilant, emphasizing the need for robust defenses and user awareness to mitigate such threats. As the landscape evolves, continuous monitoring and education are critical in safeguarding digital environments.
