In an era where users rely on vigilance against shady websites and file hashing via platforms like VirusTotal, a new wave of trojan horses is challenging traditional defenses.
These threats masquerade as legitimate desktop applications, such as recipe savers, AI-powered image enhancers, and virtual assistants, all while embedding malicious capabilities.
For instance, the JustAskJacky app, featuring a cartoon character that provides household tips, covertly schedules tasks to execute arbitrary code from a command-and-control (C2) server using eval functions on deobfuscated payloads.
Similarly, the TamperedChef recipe app interprets whitespace characters in downloaded recipes as executable commands, turning innocuous content into a backdoor mechanism.
An AI image search tool, promising high-quality photo enhancements, grants threat actors unauthorized system access in exchange for its “free” service.
These examples, undetected by VirusTotal scanners for weeks, highlight a shift where trojans integrate malicious logic directly into functional applications, rather than bundling separate malware via joiners or binders.
Resurgence of Classic Trojans
What distinguishes these “true” trojans, as defined by malware researchers, is their inseparability from the useful core application.
Unlike polymorphic malware or deceptive infection vectors often mislabeled as trojans, these embed threats within the app’s primary functionality such as steganographically hidden commands in recipe data or C2-driven code execution in advisory responses.
Historically rare over the past 10-15 years, their revival stems from the accessibility of Large Language Models (LLMs).
LLMs enable threat actors to generate convincing websites with professional layouts, error-free content, and AI-curated databases, eroding users’ gut instincts based on perceived effort or grammatical flaws.
Moreover, LLMs facilitate the creation of entirely new, unpacked codebases for these apps, evading static scanners on multi-scanner platforms like VirusTotal, which lack advanced behavioral analysis.
LLM-Driven Evasion
According to G Data, the connection between LLMs and antivirus evasion lies in the limitations of static detection.
Threat actors test malware against VirusTotal’s constrained scanners, which prioritize known signatures over dynamic, context-aware, or in-memory analysis.
Pre-LLM, evasion often required packers to obfuscate code, a lower-effort alternative to full rewrites.
Now, LLMs automate the generation of structured, commented code evident in TamperedChef’s readable functions detailing steganography rendering packing unnecessary and prolonging zero-detection periods, as seen in its six-week undetected run.
Indicators suggest LLM involvement, including overly helpful comments that aid reverse engineers, a rarity in manually crafted malware.
This trend underscores the inadequacy of static signatures alone; effective defenses demand behavioral monitoring, dynamic analysis, and contextual signatures.
Antivirus solutions flag anomalies like JustAskJacky’s randomized task scheduling or TamperedChef’s whitespace command execution during runtime.
For users, longstanding habits like avoiding piracy and hashing files remain essential, but they must evolve. Common sense, while advisable, falters against LLM-polished threats indistinguishable from legitimate sites.
As trojans integrate deeper into everyday tools, adapting detection to these evolutionsleveraging decades-old techniques in modern contexts becomes critical for cybersecurity resilience.
Indicators of Compromise (IOC)
| Name | Type | Value |
|---|---|---|
| JustAskJacky | SHA-256 Hash | 8ecd3c8c126be7128bf654456d171284f03e4f212c27e1b33f875b8907a7bc65 |
| TamperedChef | SHA-256 Hash | 1619bcad3785be31ac2fdee0ab91392d08d9392032246e42673c3cb8964d4cb7 |
| Images Searcher | URL | images-searcher.com |
| Recipe Lister | URL | recipelister.com |
| JustAskJacky | URL | justaskjacky.com |
| Pix Seek | URL | pix-seek.com |
Source link
