Artificial Intelligence & Machine Learning , Cybercrime , Fraud Management & Cybercrime

Cybercrime Group Uses Likely AI Script to Load Info Stealer

Proofpoint Spots Novel Threat Against German Organizations
Cybercrime Group Uses Likely AI Script to Load Info Stealer
A cybercrime group apparently used a large language model to write a script that led to the downloading of an info stealer. (Image: Shutterstock)

A financially motivated threat group targeting German businesses used a script apparently coded by artificial intelligence to download an info stealer onto victim computers, said Proofpoint.

See Also: Close the Gapz in Your Security Strategy

The U.S. cybersecurity company said Wednesday it spotted the cybercrime group it tracks as TA547 deploying a PowerShell script with some unusual characteristics. The script, used to load the Rhadamanthys info stealer, contains "grammatically correct and hyper specific comments above each component of the script," Proofpoint said.

It's a best practice for coders to add comments in code, but the comments' redundant and chatty style is "typical output of LLM-generated coding content," Proofpoint said.

Coders for years now have looked to artificial intelligence to automate tasks, and more than 9 in 10 programmers use AI, according to a 2023 survey of American programmers. But the practice isn't without its risks (see: Hackers Can Use AI Hallucinations to Spread Malware).

The widespread availability of large language models has nonetheless supercharged worries that bad actors will turn to LLMs to boost their prowess. In this case, Proofpoint says, the threat actor used the apparently AI-generated script to deliver a malware payload but not to alter or design the info stealer itself. "Regardless of whether it is human or machine-generated, the defense against such threats remains the same," Proofpoint said.

The bait used by TA547 to spread malware purportedly originated with German cash-and-carry retailer Metro and supposedly pertains to an invoice. Bait that appears more realistic is, of course, another oft-voiced fear about criminal use of LLMs, although whether the threat actor used artificial intelligence to clean up its German grammar is unknowable.

Proofpoint first spotted TA547 in November 2017 distributing a banking Trojan. The researchers said the group is an initial access broker.

Once a victim takes the bait by opening a compressed file containing a Windows shortcut file - and executing the file - a chain of PowerShell scripts ultimately ends with Rhadamanthys loaded into computer memory.

Previously, the threat actor used zipped JavaScript attachments to deliver malware but transitioned to compressed LNKs in early March. In addition to Germany, recent campaigns have targeted organizations in Spain, Switzerland, Austria and the United States.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.co.uk, you agree to our use of cookies.