{"id":5485,"date":"2024-09-26T05:30:28","date_gmt":"2024-09-26T10:30:28","guid":{"rendered":"https:\/\/www.darkreading.com\/cyber-risk\/genai-writes-malicious-code-spread-asyncrat"},"modified":"2024-09-26T05:30:28","modified_gmt":"2024-09-26T10:30:28","slug":"genai-writes-malicious-code-to-spread-asyncrat","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/09\/26\/genai-writes-malicious-code-to-spread-asyncrat\/","title":{"rendered":"GenAI Writes Malicious Code to Spread AsyncRAT"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Threat actors have used generative artificial intelligence (GenAI) to write malicious code in the wild to spread an open source remote access Trojan (RAT). It’s one of the first observed examples of attackers weaponizing the chatbot technology for this purpose.<\/span><\/p>\n

Researchers from HP Wolf Security have found evidence of the campaign, in which the attackers used GenAI to help them write VBScript and JavaScript code that was then used to distribute the <\/span>AsyncRAT<\/a><\/span>, an easily accessible, commercial malware that can be used for controlling a victim’s computer.<\/span><\/p>\n

The researchers first noticed the behavior when investigating a suspicious email in June. It had “an unusual French email attachment” posing as an invoice, HP Wolf Security <\/span>revealed<\/a><\/span> in its “<\/span>Threat Insights Report<\/a><\/span>” (PDF) for this month. The researchers <\/span>ultimately discovered<\/a><\/span> a campaign that was using both scripting types \u2014 code that was not, as it usually is, obfuscated \u2014 to spread AsyncRAT.<\/span><\/p>\n

“The scripts’ structure, comments, and choice of function names and variables were strong clues that the threat actor used GenAI to create the malware,” according to the report.<\/span><\/p>\n

It’s widely believed that attackers already have used GenAI to help them write more convincing phishing emails, but so far there has been little evidence of the use of the technology to write malicious code, largely because <\/span>legitimate chatbot tools have guardrails <\/a><\/span>that prevent malicious use. However, security experts have known since the advent of the technology that it was <\/span>only a matter of time<\/a><\/span> before threat actors would find a way around those gates, and <\/span>malicious chatbot development<\/a><\/span> is a phenomenon on the Dark Web.<\/span><\/p>\n

Related:<\/span>Dark Reading Confidential: The CISO and the SEC<\/a><\/p>\n

The campaign demonstrates that attackers are quickly leveling up in their use of GenAI in a way that should put defenders on alert, the researchers noted. “The activity shows how GenAI is accelerating attacks and lowering the bar for cybercriminals to infect endpoints or malicious files before they even reach someone’s inbox,” according to the report.<\/span><\/p>\n

Investigating a Malicious Email Campaign<\/h2>\n

Once the researchers discovered the disguised invoice, they dug deeper to find that the attachment was simply an HTML file which, when opened in the browser, asks for a password. At first they believed the threat to be an <\/span>HTML-smuggling attack<\/a><\/span>; however, it didn’t behave the way other threats do in that the payload stored inside the HTML file was not encrypted inside an archive.<\/span><\/p>\n

Instead, the file was encrypted within the JavaScript code itself, using the Advanced Encryption Standard (AES) and implementing it without making any mistakes. This meant that for researchers to decrypt the file, they needed the correct password.<\/span><\/p>\n

Related:<\/span>MoneyGram Goes Offline After Vague Cyber Woes<\/a><\/p>\n

Eventually, the research team brute-forced the correct password to the file and found that the decrypted archive contained a VBScript file that, when run, starts an infection chain that ultimately deploys <\/span>the AsyncRAT<\/a><\/span>. “The VBScript writes various variables to the Windows Registry, which are reused later in the chain,” according to the report.<\/span><\/p>\n

Part of that infection chain is the drop of a JavaScript file into the user directory that then reads a PowerShell script from the registry and injects it into a newly started PowerShell process. The PowerShell script then makes use of the other registry variables, and runs two more executables, which start the malware payload after injecting it into a legitimate process.<\/span><\/p>\n

Unpacking GenAI-Generated Scripts<\/h2>\n

It was through a deeper analysis of both the VBScript and the JavaScript used in the infection chain that the researchers noticed that the code was not obfuscated, which seemed odd because code obfuscation is something attackers typically use to cover their tracks.<\/span><\/p>\n

“In fact, the attacker had left comments throughout the code, describing what each line does \u2014 even for simple functions,” according to the report. “Genuine code comments in malware are rare because attackers want to their make malware as difficult to understand as possible.”<\/span><\/p>\n

Related:<\/span>Managing Cyber-Risk Is No Different Than Managing Any Business Risk<\/a><\/p>\n

This behavior and the scripts’ structure, consistent comments for each function, and the choice of function names and variables, made it reasonably clear that the attacker <\/span>used GenAI<\/a><\/span> to develop the scripts, according to HP Wolf Security.<\/span><\/p>\n

Now that threat actors are starting to harness GenAI in their attack strategies, defenders also should integrate the technology into their security posture to fight fire with fire. Organizations can use GenAI to recognize patterns of threats to identify unauthorized access or malicious intent before attackers have a chance to infiltrate an environment. Indeed, the same efficiencies that GenAI create in an attack flow for malicious actors also can be leveraged by defenders to make their jobs easier, the security researchers said.<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Threat actors have used generative artificial intelligence (GenAI) to write<\/p>\n","protected":false},"author":12,"featured_media":5486,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-5485","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2024\/09\/genai-writes-malicious-code-to-spread-asyncrat.png?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=5485"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/5485\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/5486"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=5485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=5485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=5485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}