Attackers use GenAI to write malicious code

by · BetaNews

The latest threat insights report from HP Wolf Security has identified a new campaign using malware believed to have been written with the help of GenAI.

Analysis of the campaign, targeting French-speakers using VBScript and JavaScript, finds the structure of the scripts, comments explaining each line of code, and the choice of native language function names and variables are strong indications that the threat actor used GenAI to create the malware.

Patrick Schläpfer, principal threat researcher in the HP Security Lab, says, "Speculation about AI being used by attackers is rife, but evidence has been scarce, so this finding is significant. Typically, attackers like to obscure their intentions to avoid revealing their methods, so this behavior indicates an AI assistant was used to help write their code. Such capabilities further lower the barrier to entry for threat actors, allowing novices without coding skills to write scripts, develop infection chains, and launch more damaging attacks."

The report also finds that ChromeLoader malvertising campaigns are becoming bigger and increasingly polished, relying on popular search keywords to direct victims to well-designed websites offering functional tools like PDF readers and converters. These working applications hide malicious code in a MSI file, while valid code-signing certificates bypass Windows security policies and user warnings, increasing the chance of infection. Installing these fake applications allows attackers to take over the victim’s browsers and redirect searches to attacker-controlled sites.

Another campaign highlighted by the report shows attackers hiding malware in scalable vector graphics (SVGs). Since SVGs open automatically in browsers, any embedded JavaScript code is executed as the image is viewed. While victims think they're simply viewing an image, they are in fact interacting with a complex file format that leads to multiple types of infostealer malware being installed.

Based on analysis from the second quarter of this year, the top threat vectors were email attachments (61 percent) and downloads from browsers (18 percent), other infection vectors such as removable storage -- like USB thumb drives and file shares -- make up the remaining 21 percent. Archives are still the most popular malware delivery vehicle at 39 percent, 26 percent of which were ZIP files.

The full Threat Insights Report is available from the HP site.

Image credit: Lishchyshyn/depositphotos.com