Increasing Incidence of AI-Driven Threats

Threat actors utilizing Large Language Model (LLM) AIs to generate code used in malware campaigns.

Symantec has observed an increase in attacks that appear to leverage Large Language Models (LLMs) to generate malicious code used to download various payloads. 

LLMs are a form of generative AI designed to understand and generate human-like text. They have a wide range of applications, from assisting in writing to automating customer service. However, like many powerful technologies, LLMs can also be abused. 

Recent malware campaigns observed by Symantec involved phishing emails containing code used to download various payloads, including Rhadamanthys, NetSupport, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm). Analysis of the scripts used to deliver malware in these attacks suggests they were generated using LLMs.

LLM Attack Chain Examples

The following example details a campaign targeting a wide range of sectors. The attacks involve phishing emails with attached .zip archives containing malicious .lnk files, which, once executed, trigger LLM-generated PowerShell scripts that lead to the deployment of malware. 

The emails purport to relate to an urgent financing issue and contain a password-protected ZIP file, the password for which is also included in the email. 

The ZIP file contains an LNK file that, when executed, runs a PowerShell script (Figure 2) likely generated using an LLM. Functions and variables are nicely formatted with leading single-line comments that use highly accurate grammar to explain their usage. 

The script can easily be produced automatically using an LLM. We were able to produce similar results during our research using ChatGPT and a series of simple prompts (Figure 3).

Final payloads deployed in this campaign included the Rhadamanthys information-stealing malware and the CleanUpLoader backdoor (aka Broomstick, Oyster). 

LLM assist with phishing and payload delivery

The following example details the use of LLM-generated code to facilitate the phishing stage and the payload delivery stage of an attack. The following describes the attack chain events.

1. Initial access: User receives a human-crafted phishing email with an attachment, mimicking an HR notification.

2. Execution of LLM-generated script: Opening the malicious attachment executes an HTML file with embedded JavaScript that is highly likely generated by an LLM. This script is designed to download and execute additional payloads, although the webpage displayed in this case is fairly simple and the HTML behind it is small and quick to load.

Analysis of the HTML file, which facilitates a crucial link of the attack chain, reveals the characteristic features of an LLM-generated file (Figure 6).

The file itself can easily be produced automatically using an LLM, with little human effort required.

3. Final payload download: By the time the user sees the page shown in Figure 5, the next stage payload – a loader for the Dunihi (H-Worm) malware – would have already been downloaded if the user has not configured their browser to ask for download permission first.

Symantec also observed campaigns delivering the ModiLoader (DBatLoader) malware loader, the LokiBot information-stealing Trojan, and NetSupport remote access Trojan. The use of LLMs to generate HTML code used in these campaigns is also suspected. 

Conclusion

The potential for AI to revolutionize our world is undeniable; however, it is also revolutionizing cybercrime. AI tools such as LLMs lower the barrier to entry for many threat actors, while increasing the level of sophistication for others. 

As we have shown, AI-powered tools have given threat actors not only the ability to quickly craft convincing and targeted phishing emails, but also to generate malicious code that would normally require considerable expertise, time, and resources. 

It is worth highlighting that AI is only going to get better. While the benefits for society are sure to be great, malicious actors will also benefit, using it to launch more sophisticated and effective attacks faster and at a larger scale. 

Symantec is at the forefront of cybersecurity, offering robust protection against the never-ending wave of new threats, including those recently observed, highly likely generated by LLMs. Our security solutions are equipped with advanced detection capabilities that block AI-based LLM-generated threats, with our threat hunting experts continuously monitoring the threat landscape, harvesting emerging threats, conducting detailed analysis, updating our automation models, and ensuring our customers are always protected.

Indicators of Compromise

If an IOC is malicious and the file is available to us, Symantec Endpoint products will detect and block that file.

“`html

• MITRE ATT&CK TTPs – created by AI
• Technique Name: Phishing ID: T1566
  • Phishing emails are crafted to appear legitimate, often mimicking important notifications (e.g., HR notifications).
• Technique Name: PowerShell ID: T1059.001
  • Execution of LLM-generated PowerShell scripts triggered by user interaction with malicious attachments.
• Technique Name: User Execution ID: T1203
  • Users are tricked into executing malicious files (e.g., .lnk files) that lead to further payload downloads.
• Technique Name: Command and Scripting Interpreter ID: T1059
  • Malicious scripts generated by LLMs are executed to facilitate the download of additional payloads.
• Technique Name: Remote Access Tools ID: T1219
  • Deployment of remote access Trojans (e.g., NetSupport) as part of the final payloads.

“`

Source: Original Post