Thursday, December 5, 2024
HomeArtificial IntelligenceThreat Actots Leveraging ChatGPT To Craft Sophisticated Attacks

Threat Actots Leveraging ChatGPT To Craft Sophisticated Attacks

Published on

SIEM as a Service

Adversaries are employing Large Language Models to generate malicious code, delivered via phishing emails, for downloading diverse payloads, including Rhadamanthys, NetSupport, CleanUpLoader, ModiLoader, LokiBot, and Dunihi. 

It indicates a concerning trend of threat actors leveraging AI to automate malware creation and distribution, posing significant challenges for cybersecurity defenses. 

A broad-spectrum cyberattack campaign leverages phishing emails containing password-protected ZIP archives, which host malicious LNK files that, when executed, download LLM-generated PowerShell scripts. 

- Advertisement - SIEM as a Service
Phishing email with an attached password-protected ZIP file

These scripts facilitate malware deployment across various sectors, exploiting urgency-based social engineering tactics and concealing malware within seemingly legitimate documents.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

A ZIP file containing an LNK file was found to execute a PowerShell script likely generated by an LLM, as evidenced by its well-formatted code and descriptive comments.

Research using ChatGPT replicated this, demonstrating the ease of automatic script generation. 

The campaign’s final payloads included the information-stealing Rhadamanthys malware and the CleanUpLoader backdoor, indicating a sophisticated threat actor leveraging AI to automate malicious activity. 

LLM-generated PowerShell script

An attacker initiates a cyberattack by sending a deceptive phishing email disguised as an HR notification.

The email contains a malicious attachment designed to lure the recipient into opening it, which marks the initial access phase of the attack, providing a potential foothold for further malicious activities. 

The attacker may use various social engineering tactics, such as creating a sense of urgency or impersonating the recipient, to increase the likelihood of the recipient engaging with the email.

Phishing email mimicking HR notification

Opening a malicious attachment triggers the execution of an LLM-generated HTML file containing embedded JavaScript, which acts as an initial infection vector, designed to fetch and execute additional malicious payloads. 

Despite displaying a deceptively simple webpage, the underlying HTML code exhibits distinct LLM-generated characteristics, indicating automated creation with minimal human intervention, highlighting the potential for LLMs to significantly facilitate the rapid and large-scale production of malicious content. 

LLM-generated HTML file

They leverage LLMs to generate HTML code for phishing campaigns that silently download the Dunihi (H-Worm) malware loader.

Users unknowingly expose their systems to this threat without explicit browser download permissions. 

The campaign’s versatility is evident in its ability to deliver multiple payloads, including ModiLoader, LokiBot, and NetSupport RAT, underscoring cybercriminals’ evolving tactics. 

AI is rapidly democratizing cybercrime, empowering adversaries with tools to craft sophisticated phishing attacks and generate malicious code previously requiring advanced expertise. 

According to Symantec, the threat landscape will evolve as AI capabilities mature, featuring more potent, scalable, and evasive attacks, necessitating robust countermeasures to mitigate risks. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Latest articles

One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024

One Identity named Hot Company: Privileged Access Management (PAM) in 12th Cyber Defense Magazine’s...

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Deloitte Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Cloudflare Developer Domains Abused For Cyber Attacks

Cloudflare Pages, a popular web deployment platform, is exploited by threat actors to host...

New TLDs Such as .shop, .top and .xyz Leveraged by Phishers

Phishing attacks have surged nearly 40% in the year ending August 2024, with a...