Threat Actots Leveraging ChatGPT To Craft Sophisticated Attacks

Adversaries are employing Large Language Models to generate malicious code, delivered via phishing emails, for downloading diverse payloads, including Rhadamanthys, NetSupport, CleanUpLoader, ModiLoader, LokiBot, and Dunihi. 

It indicates a concerning trend of threat actors leveraging AI to automate malware creation and distribution, posing significant challenges for cybersecurity defenses. 

A broad-spectrum cyberattack campaign leverages phishing emails containing password-protected ZIP archives, which host malicious LNK files that, when executed, download LLM-generated PowerShell scripts. 

- Advertisement -

These scripts facilitate malware deployment across various sectors, exploiting urgency-based social engineering tactics and concealing malware within seemingly legitimate documents.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

A ZIP file containing an LNK file was found to execute a PowerShell script likely generated by an LLM, as evidenced by its well-formatted code and descriptive comments.

Research using ChatGPT replicated this, demonstrating the ease of automatic script generation. 

The campaign’s final payloads included the information-stealing Rhadamanthys malware and the CleanUpLoader backdoor, indicating a sophisticated threat actor leveraging AI to automate malicious activity. 

An attacker initiates a cyberattack by sending a deceptive phishing email disguised as an HR notification.

The email contains a malicious attachment designed to lure the recipient into opening it, which marks the initial access phase of the attack, providing a potential foothold for further malicious activities. 

The attacker may use various social engineering tactics, such as creating a sense of urgency or impersonating the recipient, to increase the likelihood of the recipient engaging with the email.

Opening a malicious attachment triggers the execution of an LLM-generated HTML file containing embedded JavaScript, which acts as an initial infection vector, designed to fetch and execute additional malicious payloads. 

Despite displaying a deceptively simple webpage, the underlying HTML code exhibits distinct LLM-generated characteristics, indicating automated creation with minimal human intervention, highlighting the potential for LLMs to significantly facilitate the rapid and large-scale production of malicious content. 

They leverage LLMs to generate HTML code for phishing campaigns that silently download the Dunihi (H-Worm) malware loader.

Users unknowingly expose their systems to this threat without explicit browser download permissions. 

The campaign’s versatility is evident in its ability to deliver multiple payloads, including ModiLoader, LokiBot, and NetSupport RAT, underscoring cybercriminals’ evolving tactics. 

AI is rapidly democratizing cybercrime, empowering adversaries with tools to craft sophisticated phishing attacks and generate malicious code previously requiring advanced expertise. 

According to Symantec, the threat landscape will evolve as AI capabilities mature, featuring more potent, scalable, and evasive attacks, necessitating robust countermeasures to mitigate risks. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo