Summary: Researchers have identified a malicious email campaign targeting French users that utilizes generative AI to create and deliver AsyncRAT malware. This trend highlights the increasing reliance of less technical cybercriminals on AI tools to develop sophisticated malware and phishing schemes.
Threat Actor: Cybercriminals | cybercriminals
Victim: French users | French users
Key Point :
- Malicious code believed to be generated by AI was used to deliver AsyncRAT malware through phishing emails.
- Indicators of AI-generated code include well-commented scripts, structured code, and localized function names.
- The campaign employed HTML smuggling to deliver a password-protected ZIP archive containing malicious scripts.
- Generative AI allows lower-skilled threat actors to create and customize malware quickly for various platforms.
- AsyncRAT enables remote monitoring, keystroke logging, and delivery of additional payloads to infected machines.
In an email campaign targeting French users, researchers discovered malicious code believed to have been created with the help of generative artificial intelligence services to deliver the AsyncRAT malware.
While cybercriminals have used generative AI technology to create convincing emails, government agencies have warned about the potential abuse of AI tools to creating malicious software, despite the safeguards and restrictions that vendors implemented.
Suspected cases AI-created malware have been spotted in real attacks. Earlier this year, cybersecurity company Proofpoint discovered a malicious PowerShell script that was likely created using an AI system.
As less technical malicious actors are increasingly relying on AI to develop malware, HP security researchers found a malicious campaign in early June that used code commented in the same way a generative AI system would create.
The campaign employed HTML smuggling to deliver a password-protected ZIP archive that the researchers brute-forcing to unlock.
HP Wolf Security reports that cybercriminals with lower technical skills are increasingly using generative AI to develop malware, with one example provided in the ‘Threat Insights’ report for Q2 2024.
In early June, HP discovered a phishing campaign targeting French users, employing HTML smuggling to deliver a password-protected ZIP archive that contained a VBScript and JavaScript code.
Source: HP
After brute-forcing the password, the researchers analyzed the code and found “that the attacker had neatly commented the entire code,” something that rarely happens with human-developed code, because threat actors want to hide how the malware works.
The VBScript established persistence on the infected machine, creating scheduled tasks and writing new keys in the Windows Registry.
The researchers note that some of the indicators pointing to AI-generated malicious code include the structure of the scripts, the comments that explain each line, choosing the native language for function names and variables.
Source: HP
In later stages, the attack downlaods and executes AsyncRAT, an open-source and freely available malware that can log keystrokes on the victim machine and provide an encrypted connection to it for remote monitoring and control. The malware can also deliver additional payloads.
Source: HP
The HP Wolf Security report also highlights that, based on its visibility, archives represent the most popular delivery method in the first half of the year.
Generative AI can help lower-level threat actors write malware in minutes and customize it for attacks targeting various regions and platforms (Linux, macOS).
Even if they are not using AI to build fully functional malware, hackers are relying on this technology to speed up their work when creating more advanced threats.
Source: https://www.bleepingcomputer.com/news/security/hackers-deploy-ai-written-malware-in-targeted-attacks