Suspected AI-generated PowerShell scripts used in cyberattack

Multiple organisations in Germany have become the victims of a cyberattack that used PowerShell scripts likely created by artificial intelligence (AI) systems such as ChatGPT, Google Gemini, and Microsoft CoPilot.

The attackers tricked users into running the malicious script by attaching it to an email in ZIP archive.

However, the archive contained an LNK file that, when executed, ran a remote PowerShell script that executed an advanced information stealer called Rhadamanthys.

Proofpoint, a cyber security company, identified the attacker as TA547 (Threat Actor 547) and said it was the first time they had used the Rhadamanthys information stealer.

Rhadamantys first appeared on the dark web in 2022, where it is sold to cybercriminals.

TA547 sent the emails, claiming to relate to invoices, under the guise of the German retail company Metro.

Below is a screenshot of the email.

The email sent by TA547. Proofpoint.

To create legitimacy, the ZIP file was password protected, and the email told recipients that the password was “MAR26”.

“This PowerShell script decoded the Base64-encoded Rhadamanthys executable file stored in a variable and loaded it as an assembly into memory and then executed the entry point of the assembly,” Proofpoint explained.

The attackers’ code could thus be executed in memory rather than written to disk, which helped the malware to go undetected by antivirus software.

However, what stood out about this attack was the code itself.

Proofpoint researchers noticed that the second PowerShell script contained code not conventionally used by threat actors or legitimate programmers.

“Specifically, the PowerShell script included a pound sign followed by grammatically correct and hyper-specific comments above each component of the script,” the Proofpoint researchers wrote.

The script is shown in the image below.

The PowerShell script. Proofpoint.

“This is a typical output of LLM-generated coding content and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell or copied the script from another source that had used it.”

An LLM is a large language model, or what most know today as OpenAI’s ChatGPT, Google’s Gemini, or Microsoft’s CoPilot.

Proofpoint mentions that although LLMs can assist threat actors in better understanding and repurposing sophisticated attack chains, using an LLM does not change the malware’s functionality or efficacy.

“In this case, the potentially LLM-generated code was a script which assisted in delivering a malware payload but was not observed to alter the payload itself.”

Latest news

Partner Content

Show comments


Share this article
Suspected AI-generated PowerShell scripts used in cyberattack