DeepLocker - Concealing Targeted Attacks with AI Locksmithing

Conference:  BlackHat USA 2018



The presentation discusses the use of AI in cyber attacks and the development of a proof-of-concept malware called Deep Blocker that uses AI to evade detection.
  • AI is becoming more accessible and is being used by cybercriminals to create new forms of attacks
  • AI can be embedded in malware to make it more stealthy and evade detection
  • Deep Blocker is a proof-of-concept malware that uses AI to create key makers that are hard to detect
  • The malware can tap into video conferencing applications to unlock and execute only for specific targets
  • There is some computational cost to running the neural network on the target, but it can be reduced by checking for faces at specific intervals
The Deep Blocker malware can tap into a video conferencing application and use the camera stream to sample pictures and unlock the malware for specific targets without the user realizing it. This makes it very stealthy and hard to detect.


In this talk, we describe DeepLocker, a novel class of highly targeted and evasive attacks powered by artificial intelligence (AI). As cybercriminals increasingly weaponize AI, cyber defenders must understand the mechanisms and implications of the malicious use of AI in order to stay ahead of these threats and deploy appropriate defenses.DeepLocker was developed as a proof of concept by IBM Research in order to understand how several AI and malware techniques already being seen in the wild could be combined to create a highly evasive new breed of malware, which conceals its malicious intent until it reached a specific victim. It achieves this by using a Deep Neural Network (DNN) AI-model to hide its attack payload in benign carrier applications, while the payload will only be unlocked if—and only if —the intended target is reached. DeepLocker leverages several attributes for target identification, including visual, audio, geolocation, and system-level features. In contrast to existing evasive and targeted malware, this method would make it extremely challenging to reverse engineer the benign carrier software and recover the mission-critical secrets, including the attack payload and the specifics of the target.We will perform a live demonstration of a proof-of-concept implementation of a DeepLocker malware, in which we camouflage well-known ransomware in a benign application such that it remains undetected by malware analysis tools, including anti-virus engines and malware sandboxes. We will discuss technical details, implications, and use cases of DeepLocker. More importantly, we will share countermeasures that could help defend against this type of attack in the wild.