- Cybercriminals posing as legitimate German companies are launching attacks on organizations in the country.
- These attacks incorporate AI-generated code, including a dropper alongside other malware.
- The malware payload, Rhadamanthys, is executed through a PowerShell script distributed via email.
- Proofpoint suggests that the AI-generated code originates from large language models like ChatGPT or Gemini.
- Despite AI involvement, the functionality of the malware remains unchanged, aiding in its detection by network defenders.
- The threat actor, identified as TA547, is financially motivated and targets various geographic regions.
- TA547 has previously distributed payloads like NetSupport RAT and occasionally StealC and Lumma Stealer.
- Recent tactics involve shifting from zipped JavaScript attachments to compressed LNK files for initial delivery.
- Geographic targeting extends to organizations in Spain, Switzerland, Austria, and the US.
Main AI News:
In a recent discovery by cybersecurity firm Proofpoint, it has been revealed that cybercriminals posing as legitimate German entities are launching sophisticated attacks on organizations within the country. The attackers have taken their methods a step further this time by integrating an AI-generated dropper alongside other malware.
Proofpoint’s research indicates that numerous organizations spanning diverse sectors in Germany have been targeted with emails containing fraudulent invoices concealed within password-protected ZIP files. These emails, purportedly from known German companies, instruct recipients to utilize a provided password (in this instance, “MAR26”) to access the malicious content within the ZIP file.
Upon extraction, the archive reveals an LNK file, which, upon execution, initiates a PowerShell script. This script functions as a dropper, decoding and executing Rhadamanthys, an information-stealing malware utilized by various cybercriminal factions.
This incident marks a significant development as it represents one of the initial instances of AI-generated code being employed in cyberattacks. According to the report, the PowerShell script utilized by the threat actor bears indications of being generated by large language models (LLMs) like ChatGPT, Gemini, or CoPilot.
Evidently, the PowerShell script, when deciphered into human-readable form, showcases meticulously detailed and grammatically accurate comments accompanying each segment of the code—an uncommon trait in malicious scripts crafted by human hands. This level of commentary aligns closely with patterns observed in content generated by LLMs.
Despite the utilization of AI-generated content, the functionality and effectiveness of the deployed malware remained unchanged, thereby exerting no discernible impact on the ability of network defenders to identify and counter malicious activities.
Proofpoint characterizes the threat actor, identified as TA547, as a financially driven cybercriminal group operating as an initial access broker (IAB), specializing in targeting entities across various geographic regions.
Since 2023, TA547 has predominantly distributed the NetSupport RAT; however, occasional dissemination of alternate payloads such as StealC and Lumma Stealer has been observed. The group’s tactics have evolved over time, transitioning from zipped JavaScript attachments to compressed LNK files as the preferred initial delivery mechanism by early March 2024. Geographic targeting extends beyond Germany, encompassing entities in Spain, Switzerland, Austria, and the United States, signaling a broader operational scope for the threat actor.
Conclusion:
The integration of AI-generated code in cyber attacks represents a concerning trend, indicating the evolving sophistication of cybercriminal tactics. While this poses challenges for cybersecurity professionals, it also underscores the need for continuous innovation and adaptation in defensive measures to mitigate emerging threats effectively. Additionally, the broad geographic targeting by threat actors like TA547 emphasizes the global nature of cyber threats and the imperative for organizations worldwide to fortify their cybersecurity posture.
