AI tools likely wrote malicious script for threat group targeting German organizations

A recent attack that targeted organizations in Germany deployed a new information-stealer program called Rhadamanthys distributed with the help of a PowerShell script likely created by a large language model (LLM) such as ChatGPT, Gemini or CoPilot, according to a report from security firm Proofpoint.

Researchers have long warned that the widespread availability of powerful LLMs will lower the entry bar for attacks by allowing cybercriminals to create more credible phishing lures in languages they don’t know or to create malicious code without being proficient programmers.

Even if the attackers are skilled enough to write code, they might still use AI assistants to speed up the task. Such is the case with the latest attack from a group tracked as TA547 that acts as an initial access broker for other cybercriminals, selling access to compromised systems.

“While it is difficult to confirm whether malicious content is created via LLMs — from malware scripts to social engineering lures — there are characteristics of such content that points to machine-generated rather than human-generated information,” researchers from Proofpoint said in their analysis of the recent attack.

Change in TA547 threat actor’s tactics was observed

TA547 has been active since 2017 and has used many different trojan programs and information stealers over the years. In 2023, the group’s malicious email campaigns often distributed malicious JavaScript scripts that deployed NetSupport RAT and occasionally StealC and Lumma Stealer.

As part of this new attack, the researchers observed a shift in tactics. Instead of malicious JavaScript files included in ZIP archives, the attackers switched to using LNK files which are used for Windows application shortcuts. Such files can contain PowerShell scripting which is natively supported on Windows, making them a powerful payload delivery mechanism.

The latest email campaign detected by Proofpoint used an invoice-related lure written in German that was crafted to appear as if sent by Metro, a large German retailer. Dozens of organizations from various industries in Germany were targeted.

The rogue emails contained a password-protected ZIP archive with the password provided in the email message. Inside, they had a LNK file that invoked the PowerShell runtime to execute a remotely-hosted script.

Tactic evaded file-based detection engines of endpoint security

The goal of this secondary script was to decode using Base64 an executable file for the Rhadamanthys infostealer that was stored in a variable and then load it directly into memory and execute it without writing it to disk. This type of fileless malware technique is commonly used to evade the file-based detection engines of endpoint security products.

Because its purpose is to load a malware payload onto the system, the PowerShell script in this case is referred to as a malware loader. As mentioned, TA547 previously preferred JavaScript-based loaders and this is also the first time when the group has been seen using Rhadamanthys, though not unusual since this infostealer is gaining popularity in the cybercriminal underground.

Contents of script point to evidence of LLM involvement

“The PowerShell script included a pound sign followed by grammatically correct and hyper-specific comments above each component of the script,” the Proofpoint researchers said. “This is a typical output of LLM-generated coding content and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell or copied the script from another source that had used it.”

While attackers can use LLMs to better understand the attack chains of their competitors to improve or even craft their own, the use of LLMs doesn’t necessarily make detection harder. If anything, it could make it easier if some of the signs of AI-generated code are added to detection signatures.

Ultimately, a known malware payload was loaded onto the system and efficient endpoint security products should be able to catch it, the researchers said.