In a concerning development for cybersecurity professionals, researchers at HP Wolf Security have uncovered evidence of artificial intelligence (AI) being used to create malicious code. This discovery comes from a recent analysis of attacks targeting French users, where the notorious AsyncRAT malware was distributed using what appears to be AI-generated code.
The Rise of AI in Cybercrime
Cybersecurity experts have long warned about the potential misuse of generative AI in creating convincing phishing emails, voice deepfakes, and other illicit activities. However, the use of AI in malware development marks a significant escalation in this trend. Earlier this year, Proofpoint researchers reported a similar case where a PowerShell script, likely created using a large language model (LLM), was used to spread the Rhadamanthys infostealer.
Anatomy of the AI-Generated Malware Attack
The attack campaign, identified by HP Wolf Security in early June, targeted French users through a sophisticated phishing operation. The cybercriminals employed an HTML smuggling technique, initiating the attack with phishing emails containing encrypted HTML attachments disguised as invoices.
Unusual Encryption and Decryption
What caught the researchers’ attention was the unusual embedding of an AES key within the JavaScript inside the attachment. This encryption was eventually bypassed through brute force methods, revealing a ZIP archive containing a VBScript file.
Telltale Signs of AI Involvement
Upon examining the VBScript, analysts noticed several indicators suggesting AI involvement:
- Meticulous commenting and structuring of the entire code
- Detailed descriptions of each code section’s purpose
- Consistent script structure
- Line-by-line comments
- Use of French language for function and variable names
These characteristics are atypical of human-written malicious code, which usually aims to obfuscate its functionality. Instead, they closely resemble the output of generative AI services when providing code examples with explanations.
The Threat of AsyncRAT
The ultimate payload of this attack was AsyncRAT, an open-source remote access trojan capable of keylogging, establishing encrypted connections with the victim’s machine, and downloading additional malicious payloads. Its versatility and accessibility make it a popular choice among cybercriminals.
Implications for Cybersecurity
The emergence of AI-generated malware presents significant challenges for the cybersecurity community. Generative AI could potentially enable less skilled criminals to rapidly produce sophisticated malware and adapt it for various platforms (Linux, macOS, Windows, etc.) in a matter of minutes. Even experienced cybercriminals might leverage AI to accelerate their development processes, potentially leading to more frequent and diverse attacks.
As AI continues to evolve and become more accessible, cybersecurity professionals must stay vigilant and adapt their defensive strategies. This includes developing AI-powered security solutions, enhancing threat detection capabilities, and educating users about emerging AI-driven threats. The cybersecurity landscape is changing rapidly, and staying ahead of AI-assisted cybercrime will be crucial in protecting digital assets and maintaining online safety.
