This new PowerShell malware looks like it was written by AI

News
By Sead Fadilpašić
published

Attackers seem to offer proof hackers are using generative AI

Illustration of a laptop with a magnifying glass exposing a beetle on-screen
(Image credit: Shutterstock / Kanoktuch)

Proofpoint claims to have uncovered evidence of how hackers might use generative AI to create malicious code quickly and efficiently.

The company's researchers published a new report on TA547, a financially motivated threat actor that usually operates as an initial access broker (IAB), grabbing login credentials from victims, and then selling them on the dark web to the highest bidder.

This group recently started targeting German organizations with an email phishing campaign delivering the Rhadamanthys malware. In the campaign, they impersonated the German retail company Metro, and sent messages related to invoices. The emails would carry a password-protected ZIP file which, if executed, triggered PowerShell to run a remote PowerShell script.

"Typical output"

This script decoded the Rhadamanthys malware stored in a variable, and loaded it directly into memory. It was also this script that the researchers believe could have been written by generative AI. 

Apparently, the PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script, which is a “typical output of LLM-generated coding content”.

This doesn’t change anything when it comes to defenses, the researchers further explained. The mechanisms against these threats remain the same.

TA547 has been active for a few years now, usually delivering the NetSupport RAT. However, the group was also observed dropping StealC and Lumma Stealer. They mostly target firms in Germany, Austria, and Switzerland, with Spain, and the U.S., being notable mentions. 

Ever since their inception, security researchers warned about generative AI tools and their place in every hacker’s tech stack. To tackle the idea, the tools’ developers placed roadblocks, preventing the creation of malicious content. However crooks have so far been successful in working around these solutions.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.