A newly identified macOS malware, termed Gaslight, has emerged with the capability to hinder AI-assisted malware analysis. Developed using Rust, this implant and information stealer employs a prompt injection payload to deceive AI tools used by malware analysts, leading them to prematurely halt or refuse investigation.
The Gaslight malware is believed to originate from North Korea-aligned cyber actors, as reported by SentinelOne researcher Phil Stokes. A defining feature of this malware is its deployment of fabricated system-failure messages designed to confuse large language model (LLM)-based triage agents, impacting their judgment rather than the sandbox environment in which they operate.
Advanced Command-and-Control Features
Integral to Gaslight’s architecture is a command-and-control (C2) channel utilizing a Telegram bot API. This allows the malware operator to execute commands through an interactive shell and receive execution results. In cases where two instances of the same bot token attempt simultaneous polling, an automatic “Conflict” response ends the session for the second instance.
The shell offers six core commands, facilitating a persistent presence within the infected system. These commands include:
- help: Displays available commands
- id: Identifies the implant
- shell: Executes shell commands
- kill: Ends a process by its PID
- upload: Extracts files using Telegram’s “attach://”
- stop: Halts implant execution
Moreover, evidence suggests a seventh command, “focus,” though its specific function remains unclear. Gaslight gains persistence by employing a LaunchAgent with the label “com.apple.system.services.activity” in its configuration file.
Comprehensive Data Collection
The malware embeds a 6.6 KB Base64-encoded Python script to systematically gather information, including Terminal command history, installed applications, active processes, system profiles, and browser data from Chrome, Brave, Firefox, and Safari. This data is then compressed and transmitted via Telegram.
Deployment of the Python script occurs through a separate 2 KB Base64-encoded bash installer that incorporates a cpython-3.10.18 interpreter. The script’s use of emojis and detailed comment headers suggests generation by a large language model (LLM).
Evading Detection with AI Deception
Gaslight’s unique approach to evading AI-based detection involves runtime-provided bot token and configuration details, avoiding hard-coded information within the malware sample. This self-redaction feature prevents log or crash artifact capture from revealing the Telegram bot token.
Furthermore, Gaslight includes a Markdown-fenced block with 38 fabricated “system” messages aimed at misleading security agents. These messages falsely report issues like token expiry, memory overflows, disk space depletion, injection vulnerabilities, and static-analysis concerns, effectively weaponizing AI-driven triage processes in reverse-engineering loops.
This sophisticated strategy underscores the evolving nature of malware tactics and the need for robust cybersecurity measures.
