How ChatGPT helped malware bypass security.
In March 2024, cybercriminals attacked dozens of organizations in Germany using a PowerShell script allegedly created with the help of AI. The campaign distributes the Rhadamanthys infostiler.
Proofpoint attributed the campaign to the TA547 (Scully Spider) grouping. The group is an Initial Access Broker (IAB) and has been active since 2017, distributing various types of malware for Windows and Android systems using the MaaS model.
Recently, TA547 has started using Rhadamanthys, a modular information theft system that is constantly expanding its data collection capabilities (clipboard, browser data, cookies). During the discovered campaign, TA547 disguised itself as the well-known German brand Metro, using invoices sent by email as bait.
TA547 phishing email posing as Metro Cash & Carry
Rhadamanthys was distributed via password-protected ZIP archives that contained a malicious LNK shortcut. The shortcut activated the execution of a PowerShell script, which in turn ran Rhadamanthys stored in Base64 encoding. The researchers explain that this method allows malicious code to be executed in memory without affecting the disk.
It is noteworthy that the PowerShell script contains unique characteristics inherent in the code generated by AI (ChatGPT, Gemini, or Copilot). Comments in the code written with perfect grammar, as well as the specific structure and naming of variables, indicate the possible use of generative AI to create or modify a script.
The code contains comments for each component, which is rare in human-made code
Proofpoint stressed that the generated AI code is characterized by high-quality comments, which is not typical for "human" code. Experiments have shown that the results obtained using ChatGPT-type systems are similar to the analyzed script, which further confirms the theory about the use of AI.
In March 2024, cybercriminals attacked dozens of organizations in Germany using a PowerShell script allegedly created with the help of AI. The campaign distributes the Rhadamanthys infostiler.
Proofpoint attributed the campaign to the TA547 (Scully Spider) grouping. The group is an Initial Access Broker (IAB) and has been active since 2017, distributing various types of malware for Windows and Android systems using the MaaS model.
Recently, TA547 has started using Rhadamanthys, a modular information theft system that is constantly expanding its data collection capabilities (clipboard, browser data, cookies). During the discovered campaign, TA547 disguised itself as the well-known German brand Metro, using invoices sent by email as bait.
TA547 phishing email posing as Metro Cash & Carry
Rhadamanthys was distributed via password-protected ZIP archives that contained a malicious LNK shortcut. The shortcut activated the execution of a PowerShell script, which in turn ran Rhadamanthys stored in Base64 encoding. The researchers explain that this method allows malicious code to be executed in memory without affecting the disk.
It is noteworthy that the PowerShell script contains unique characteristics inherent in the code generated by AI (ChatGPT, Gemini, or Copilot). Comments in the code written with perfect grammar, as well as the specific structure and naming of variables, indicate the possible use of generative AI to create or modify a script.
The code contains comments for each component, which is rare in human-made code
Proofpoint stressed that the generated AI code is characterized by high-quality comments, which is not typical for "human" code. Experiments have shown that the results obtained using ChatGPT-type systems are similar to the analyzed script, which further confirms the theory about the use of AI.
