Hackers deploy AI-written malware in targeted attacks

In an email campaign targeting French users, researchers discovered malicious code believed to have been created with the help of generative artificial intelligence services to deliver the AsyncRAT malware.

While cybercriminals have used generative AI technology to create convincing emails, government agencies have warned about the potential abuse of AI tools to creating malicious software, despite the safeguards and restrictions that vendors implemented.

Suspected cases AI-created malware have been spotted in real attacks. Earlier this year, cybersecurity company Proofpoint discovered a malicious PowerShell script that was likely created using an AI system.

As less technical malicious actors are increasingly relying on AI to develop malware, HP security researchers found a malicious campaign in early June that used code commented in the same way a generative AI system would create.

The campaign employed HTML smuggling to deliver a password-protected ZIP archive that the researchers brute-forcing to unlock.

 HP Wolf Security reports that cybercriminals with lower technical skills are increasingly using generative AI to develop malware, with one example provided in the ‘Threat Insights’ report for Q2 2024.

In early June, HP discovered a phishing campaign targeting French users, employing HTML smuggling to deliver a password-protected ZIP archive that contained a VBScript and JavaScript code.

After brute-forcing the password, the researchers analyzed the code and found "that the attacker had neatly commented the entire code," something that rarely happens with human-developed code, because threat actors want to hide how the malware works.

“These comments describe exactly what the code does, much in the same way that generative AI services can create exemplar code with explanations” - HP Wolf Security report

The VBScript established persistence on the infected machine, creating scheduled tasks and writing new keys in the Windows Registry.

The researchers note that some of the indicators pointing to AI-generated malicious code include the structure of the scripts, the comments that explain each line, choosing the native language for function names and variables.

In later stages, the attack downlaods and executes AsyncRAT, an open-source and freely available malware that can log keystrokes on the victim machine and provide an encrypted connection to it for remote monitoring and control. The malware can also deliver additional payloads.

The HP Wolf Security report also highlights that, based on its visibility, archives represent the most popular delivery method in the first half of the year.

Generative AI can help lower-level threat actors write malware in minutes and customize it for attacks targeting various regions and platforms (Linux, macOS).

Even if they are not using AI to build fully functional malware, hackers are relying on this technology to speed up their work when creating more advanced threats.