Cybercriminals Tap Generative AI to Write Malware Code: Study

New research from HP Imagine has found that cyber attackers are using generative AI to help write malicious code, making it quicker and easier for attackers to infect endpoints. 

Cybercriminals are already using generative AI to create convincing phishing lures but there had been limited evidence of threat actors using the tool to write code, according to HP’s threat research team. 

However, during research for the company’s quarterly Threat Insights Report, researchers identified a campaign targeting French-speakers using VBScript and JavaScript believed to have been written with the help of generative AI. 

The malware’s structure, the comments explaining each line of code and the use of native language function names and variables found in a recent attack campaign all indicate the threat actor used a generative AI model to create the malware, it said.

The attack tries to infect users with the freely available AsyncRAT malware, an easy-to-obtain infostealer that can record a victim’s screens and keystrokes.  

"Speculation about AI being used by attackers is rife, but evidence has been scarce, so this finding is significant,” said Patrick Schläpfer, principal threat researcher in the HP security lab. 

“Typically, attackers like to obscure their intentions to avoid revealing their methods, so this behavior indicates an AI assistant was used to help write their code.”

Related:Phishing Attacks, Deepfakes Top AI-Powered Threats

Such capabilities further lower the barrier to entry for threat actors, allowing novices without coding skills to write scripts, develop infection chains and launch more damaging attacks, Schläpfer said. 

Researchers examined data from millions of endpoints running HP Wolf Security, an enterprise endpoint security application. 

They found that ChromeLoader campaigns that use malvertising to direct victims to well-designed websites offering fake tools like PDF converters are getting bigger and more polished. 

These fake applications installed and delivered as MSI files cause malicious code to run on endpoints. The malware loads a browser extension that enables attackers to take over the victim’s browsing session and redirect searches to attacker-controlled sites.

It also found that some cybercriminals are shifting from HTML files to vector images such as Scalable Vector Graphics (SVG) for smuggling malware. 

Vector images, widely used in graphic design, commonly use the XML-based SVG format. 

As SVGs open automatically in browsers, any embedded JavaScript code is executed as the image is viewed. While victims think they’re viewing an image, they are interacting with a complex file format that leads to multiple types of infostealer malware being installed. 

Related:Data Centers Getting Secure Connections via Quantum

The report identified top threat vectors as email attachments (61%), downloads from browsers (18%) and other infection vectors, such as removable storage like USB thumb drives and file shares (21%).

This article first appeared in IoT World Today's sister publication AI Business.