A threat actor is using a PowerShell script that was likely created with the help of an artificial intelligence system such as OpenAI’s ChatGPT, Google’s Gemini, or Microsoft’s CoPilot.
The adversary used the script in an email campaign in March that targeted tens of organizations in Germany to deliver Rhadamanthys information to the hacker.
Deploys an AI-based PowerShell infostealer.
Researchers at cybersecurity company Proofpoint attributed the attack to a threat actor tracked as TA547, believed to be an Early Access Broker (IAB).
TA547, also known as Scully Spider, has been available in various variants for Windows (ZLoader/Terdot, Gootkit, Ursnif, Corebot, Panda Banker, Atmos) and Android (Mazar Bot, Red Alert) systems since at least 2017. is active in providing malware.
Recently, the threat actor started using the Rhadamanthys modular stealer that continuously expands its data collection capabilities (clipboard, browser, cookies, etc.).
The information stealer has been distributed to several cybercrime groups since September 2022 under a malware-as-a-service (MaaS) model.
According to Proofpoint researchers, TA547 impersonated the Metro Cash & Carry German brand in a recent email campaign using invoices for “dozens of organizations in various German industries.”
Source: Proofpoint
The messages contained a zip archive protected with the password ‘MAR26’, which contained a malicious shortcut file (.LNK). Accessing the shortcut file triggered PowerShell to run a remote script.
“This PowerShell script decodes a base64-encoded Rhadamanthys executable file by storing it in a variable and loading it into memory as an assembly and then executing the assembly’s entry point” – Proofpoint
The researchers explained that this way malicious code can be executed in memory without ever touching the disk.
Analyzing the PowerShell script that loaded Rhadamanthys, the researchers noticed that it included a pound/hash sign (#) followed by specific comments for each component, which is unusual in human-made code. .
Source: Proofpoint
Researchers say these features are typical of code originating from generative AI solutions like ChatGPT, Gemini, or CoPilot.
While they can’t be absolutely sure that the PowerShell code came from a large language model (LLM) solution, the researchers say the script’s content can be used to write or rewrite PowerShell scripts using generative AI. suggesting the possibility of TA547.
Bleeping Computer used ChatGPT-4 to create a similar PowerShell script and the output code looked like Proofpoint, including variable names and comments, further demonstrating that using AI to create scripts was done.
Source: Bleeping Computer
Another theory is that they copied it from a source that relied on generative AI for coding.
AI for malicious activities
Since OpenAI released ChatGPT in late 2022, financially motivated risk actors can create custom or localized phishing emails, run network scans to identify vulnerabilities on hosts or networks, or Leveraging the power of AI to create highly credible phishing pages.
Some nation-state actors, including China, Iran, and Russia, have also turned to generative AI to improve productivity by researching targeting, cybersecurity tools, and methods for establishing persistence and avoiding detection, as well as scripting support. What is it.
In mid-February, OpenAI announced that it had blocked accounts linked to state-sponsored hacker groups Charcoal Typhoon, Salmon Typhoon (China), Crimson Storm (Iran), Emerald Slate (North Korea), and Forest Blizzard (Russia). Blocked users who use ChatGPT for abuse. Objectives.
As most language learning models try to limit the output if it can be used for malware or malicious behavior, threat actors have launched their own AI chat platform for cybercriminals.