This new PowerShell malware looks like it was written by AI
Attackers seem to offer proof hackers are using generative AI
Proofpoint claims to have uncovered evidence of how hackers might use generative AI to create malicious code quickly and efficiently.
The company's researchers published a new report on TA547, a financially motivated threat actor that usually operates as an initial access broker (IAB), grabbing login credentials from victims, and then selling them on the dark web to the highest bidder.
This group recently started targeting German organizations with an email phishing campaign delivering the Rhadamanthys malware. In the campaign, they impersonated the German retail company Metro, and sent messages related to invoices. The emails would carry a password-protected ZIP file which, if executed, triggered PowerShell to run a remote PowerShell script.
"Typical output"
This script decoded the Rhadamanthys malware stored in a variable, and loaded it directly into memory. It was also this script that the researchers believe could have been written by generative AI.
Apparently, the PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script, which is a “typical output of LLM-generated coding content”.
This doesn’t change anything when it comes to defenses, the researchers further explained. The mechanisms against these threats remain the same.
TA547 has been active for a few years now, usually delivering the NetSupport RAT. However, the group was also observed dropping StealC and Lumma Stealer. They mostly target firms in Germany, Austria, and Switzerland, with Spain, and the U.S., being notable mentions.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Ever since their inception, security researchers warned about generative AI tools and their place in every hacker’s tech stack. To tackle the idea, the tools’ developers placed roadblocks, preventing the creation of malicious content. However crooks have so far been successful in working around these solutions.
More from TechRadar Pro
- The evolution of cybersecurity in the age of generative AI
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.