Study Shows Cybercriminals Using Generative AI to Generate Malware Code

Recent research conducted by HP Imagine has revealed a concerning trend in cyber attacks where threat actors are leveraging generative AI to craft malicious code efficiently and swiftly. This innovative approach allows cybercriminals to infect endpoints with greater ease. While the use of generative AI in crafting convincing phishing emails has been prevalent, HP's threat research team discovered evidence of attackers utilizing this technology to write malicious code. In a recent campaign targeting French-speaking individuals, researchers observed the usage of VBScript and JavaScript that were likely generated with the assistance of AI models.

Signs of AI involvement were evident in the structure of the malware, the explanatory comments within the code, and the incorporation of native language function names and variables. The malware was designed to distribute the AsyncRAT infostealer, a readily available tool capable of recording screens and keystrokes of victims. This development marks a significant shift as it provides concrete evidence of AI-powered assistance in the creation of malicious code, which has long been speculated but rarely proven.

Principal threat researcher at the HP security lab, Patrick Schläpfer, emphasized that this discovery significantly lowers the entry barrier for threat actors, enabling even those without coding expertise to develop sophisticated attack strategies. Analysis of data from millions of endpoints utilizing HP Wolf Security identified the escalation of ChromeLoader campaigns that employ malvertising tactics to lure victims to counterfeit websites offering fake software like PDF converters. The installation of these bogus applications as MSI files triggers the execution of malicious code on compromised endpoints.

Furthermore, the research uncovered a shift among cybercriminals from using HTML files to vector images like Scalable Vector Graphics (SVG) for malware delivery. SVG files, common in graphic design, automatically execute any embedded JavaScript code when viewed in browsers. This deceptive tactic tricks users into interacting with what appears to be an innocent image, leading to the installation of various forms of infostealer malware. The report highlights email attachments as the primary threat vector (61%), followed by downloads from browsers (18%), and other infection sources such as USB thumb drives and file shares (21%).

Overall, HP's findings underscore the evolving landscape of cyber threats, with attackers increasingly harnessing AI tools to streamline their malicious activities and launch more sophisticated attacks on unsuspecting individuals and organizations.