Sunday, September 8, 2024
HomeArtificial IntelligenceThreat Actots Leveraging ChatGPT To Craft Sophisticated Attacks

Threat Actots Leveraging ChatGPT To Craft Sophisticated Attacks

Published on

Adversaries are employing Large Language Models to generate malicious code, delivered via phishing emails, for downloading diverse payloads, including Rhadamanthys, NetSupport, CleanUpLoader, ModiLoader, LokiBot, and Dunihi. 

It indicates a concerning trend of threat actors leveraging AI to automate malware creation and distribution, posing significant challenges for cybersecurity defenses. 

A broad-spectrum cyberattack campaign leverages phishing emails containing password-protected ZIP archives, which host malicious LNK files that, when executed, download LLM-generated PowerShell scripts. 

- Advertisement - EHA
Phishing email with an attached password-protected ZIP file

These scripts facilitate malware deployment across various sectors, exploiting urgency-based social engineering tactics and concealing malware within seemingly legitimate documents.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

A ZIP file containing an LNK file was found to execute a PowerShell script likely generated by an LLM, as evidenced by its well-formatted code and descriptive comments.

Research using ChatGPT replicated this, demonstrating the ease of automatic script generation. 

The campaign’s final payloads included the information-stealing Rhadamanthys malware and the CleanUpLoader backdoor, indicating a sophisticated threat actor leveraging AI to automate malicious activity. 

LLM-generated PowerShell script

An attacker initiates a cyberattack by sending a deceptive phishing email disguised as an HR notification.

The email contains a malicious attachment designed to lure the recipient into opening it, which marks the initial access phase of the attack, providing a potential foothold for further malicious activities. 

The attacker may use various social engineering tactics, such as creating a sense of urgency or impersonating the recipient, to increase the likelihood of the recipient engaging with the email.

Phishing email mimicking HR notification

Opening a malicious attachment triggers the execution of an LLM-generated HTML file containing embedded JavaScript, which acts as an initial infection vector, designed to fetch and execute additional malicious payloads. 

Despite displaying a deceptively simple webpage, the underlying HTML code exhibits distinct LLM-generated characteristics, indicating automated creation with minimal human intervention, highlighting the potential for LLMs to significantly facilitate the rapid and large-scale production of malicious content. 

LLM-generated HTML file

They leverage LLMs to generate HTML code for phishing campaigns that silently download the Dunihi (H-Worm) malware loader.

Users unknowingly expose their systems to this threat without explicit browser download permissions. 

The campaign’s versatility is evident in its ability to deliver multiple payloads, including ModiLoader, LokiBot, and NetSupport RAT, underscoring cybercriminals’ evolving tactics. 

AI is rapidly democratizing cybercrime, empowering adversaries with tools to craft sophisticated phishing attacks and generate malicious code previously requiring advanced expertise. 

According to Symantec, the threat landscape will evolve as AI capabilities mature, featuring more potent, scalable, and evasive attacks, necessitating robust countermeasures to mitigate risks. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Warning: New Emansrepo Malware Uses HTML Files to Target Windows Users

Emansrepo, a Python infostealer, is distributed via phishing emails containing fake purchase orders and...

ToddyCat APT Abuses SMB, Exploits IKEEXT A Exchange RCE To Deploy ICMP Backdoor

ToddyCat is an APT group that has been active since December 2020, and primarily...

Halliburton Confirms that Hackers Stolen Data in Cyber Attack

Halliburton Company has confirmed that a cyber attack led to unauthorized access and data...