Categories: Technology

This new PowerShell malware looks like it was written by AI

Ever since ChatGPT was first introduced to the world, we kept hearing warnings of how hackers might use it to create malicious code quickly and efficiently. Now, courtesy of cybersecurity researchers Proofpoint, we have real-life proof (pun definitely intended).

Earlier this week, the researchers published a new report on TA547, a financially motivated threat actor that usually operates as an initial access broker (IAB), grabbing login credentials from victims, and then selling them on the dark web to the highest bidder.

This group recently started targeting German organizations with an email phishing campaign delivering the Rhadamanthys malware. In the campaign, they impersonated the German retail company Metro, and sent messages related to invoices. The emails would carry a password-protected ZIP file which, if executed, triggered PowerShell to run a remote PowerShell script.

“Typical output”

This script decoded the Rhadamanthys malware stored in a variable, and loaded it directly into memory. It was also this script that the researchers believe could have been written by generative AI. Apparently, the PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script, which is a “typical output of LLM-generated coding content”.

This doesn’t change anything when it comes to defenses, the researchers further explained. The mechanisms against these threats remain the same.

TA547 has been active for a few years now, usually delivering the NetSupport RAT. However, the group was also observed dropping StealC and Lumma Stealer. They mostly target firms in Germany, Austria, and Switzerland, with Spain, and the U.S., being notable mentions.

Ever since their inception, security researchers warned about generative AI tools and their place in every hacker’s tech stack. To tackle the idea, the tools’ developers placed roadblocks, preventing the creation of malicious content. However crooks have so far been successful in working around these solutions.