Threat Actots Leveraging ChatGPT To Craft Sophisticated Attacks

Adversaries are employing Large Language Models to generate malicious code, delivered via phishing emails, for downloading diverse payloads, including Rhadamanthys, NetSupport, CleanUpLoader, ModiLoader, LokiBot, and Dunihi. 

It indicates a concerning trend of threat actors leveraging AI to automate malware creation and distribution, posing significant challenges for cybersecurity defenses. 

A broad-spectrum cyberattack campaign leverages phishing emails containing password-protected ZIP archives, which host malicious LNK files that, when executed, download LLM-generated PowerShell scripts. 

Phishing email with an attached password-protected ZIP file

These scripts facilitate malware deployment across various sectors, exploiting urgency-based social engineering tactics and concealing malware within seemingly legitimate documents.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

A ZIP file containing an LNK file was found to execute a PowerShell script likely generated by an LLM, as evidenced by its well-formatted code and descriptive comments.

Research using ChatGPT replicated this, demonstrating the ease of automatic script generation. 

The campaign’s final payloads included the information-stealing Rhadamanthys malware and the CleanUpLoader backdoor, indicating a sophisticated threat actor leveraging AI to automate malicious activity. 

LLM-generated PowerShell script

An attacker initiates a cyberattack by sending a deceptive phishing email disguised as an HR notification.

The email contains a malicious attachment designed to lure the recipient into opening it, which marks the initial access phase of the attack, providing a potential foothold for further malicious activities. 

The attacker may use various social engineering tactics, such as creating a sense of urgency or impersonating the recipient, to increase the likelihood of the recipient engaging with the email.

Phishing email mimicking HR notification

Opening a malicious attachment triggers the execution of an LLM-generated HTML file containing embedded JavaScript, which acts as an initial infection vector, designed to fetch and execute additional malicious payloads. 

Despite displaying a deceptively simple webpage, the underlying HTML code exhibits distinct LLM-generated characteristics, indicating automated creation with minimal human intervention, highlighting the potential for LLMs to significantly facilitate the rapid and large-scale production of malicious content. 

LLM-generated HTML file

They leverage LLMs to generate HTML code for phishing campaigns that silently download the Dunihi (H-Worm) malware loader.

Users unknowingly expose their systems to this threat without explicit browser download permissions. 

The campaign’s versatility is evident in its ability to deliver multiple payloads, including ModiLoader, LokiBot, and NetSupport RAT, underscoring cybercriminals’ evolving tactics. 

AI is rapidly democratizing cybercrime, empowering adversaries with tools to craft sophisticated phishing attacks and generate malicious code previously requiring advanced expertise. 

According to Symantec, the threat landscape will evolve as AI capabilities mature, featuring more potent, scalable, and evasive attacks, necessitating robust countermeasures to mitigate risks. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Aman Mishra

Recent Posts

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

2 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

3 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

3 hours ago

Massive Credit Card Leak, Database of 1,221,551 Cards Circulating on Dark Web

A massive data breach has sent shockwaves across the globe, as a database containing sensitive…

5 hours ago

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as "GruesomeLarch"…

2 days ago

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by Egypt-based…

3 days ago