Microsoft uses AI to link two malware operations in racketeering suit

Microsoft, its friends, and international law enforcement - with an AI assist - disrupted two widely used pieces of malware and their infrastructure, in what Redmond describes as a novel approach to cybercrime disruption that targets the cyberattack supply chain instead of a single tool or service. What's new is how we're combining AI analysis with an expanded use of that law," Steven Masada, assistant general counsel for Microsoft's Digital Crimes Unit, said in a Wednesday blog, referring to the Racketeer Influenced and Corrupt Organizations Act (RICO). Typically Microsoft uses RICO and other US laws to take legal action against a single cybercrime service or infrastructure. The disruption involved the takedown, suspension, and blocking of more than 200 domains and command-and-control (C2) servers that formed the backbone of StealC and Amadey infrastructure. Multiple security companies, including ESET, BitSight, Mitsui Bussan Secure Directions (MBSD), IBM X-Force, and Proofpoint, also played a role in dismantling the alleged operations. Combined with the earlier SocGholish disruption announced last week, a Europol-led law enforcement coalition flagged and restricted cryptocurrency assets valued at more than $47 million and recovered about 27 million stolen credentials. StealC and Amadey are two separate malwares developed by different criminal crews, but they used the same infrastructure and were operating in concert. StealC collects multiple browser credentials and cookies, cryptocurrency wallets, chats from messaging apps, and other sensitive data, and exfiltrates the stolen goods to a C2 server. It also works as a secondary loader, allowing criminals who rent the stealer to download additional malware on compromised devices. Amadey is a malware-as-a-service used to deliver StealC and other stealers, plus other types of malware including remote access trojans, cryptominers, and ransomware. In just the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected computers globally, according to Microsoft. It's no longer enough to go after threats one by one," said Masada. We need to interrupt how the attacks are put together." In this case, Redmond's investigators used Copilot and other AI tools to analyze both malwares and their infrastructure, asking questions in plain English instead of manually combing through complex code," Masada wrote. That helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster." One of these key details: both Amadey and StealC used the same infrastructure. This allowed Redmond's legal team to treat both malwares as part of a single conspiracy under RICO and bring civil claims against five defendants allegedly involved across both operations. Defendants comprise a group of cybercriminals operating a Malware as a Service enterprise that leverages malicious software commonly known as the Amadey Malware Suite and StealC Malware Suite (the "MaaS Enterprise")," the court documents say. Through the Maas Enterprise, Defendants and their accomplices have victimized hundreds of thousands of innocent computer users, including many users of Microsoft's software and services." (R)