{"id":532207,"date":"2024-04-11T19:17:38","date_gmt":"2024-04-11T17:17:38","guid":{"rendered":"https:\/\/mybroadband.co.za\/news\/?p=532207"},"modified":"2024-04-12T10:31:54","modified_gmt":"2024-04-12T08:31:54","slug":"suspected-ai-generated-powershell-scripts-used-in-cyberattack","status":"publish","type":"post","link":"https:\/\/mybroadband.co.za\/news\/security\/532207-suspected-ai-generated-powershell-scripts-used-in-cyberattack.html","title":{"rendered":"Suspected AI-generated PowerShell scripts used in cyberattack"},"content":{"rendered":"

Multiple organisations in Germany have become the victims of a cyberattack that used PowerShell scripts likely created by artificial intelligence (AI) systems such as ChatGPT, Google Gemini, and Microsoft CoPilot.<\/p>\n

The attackers tricked users into running the malicious script by attaching it to an email in ZIP archive.<\/p>\n

However, the archive contained an LNK file that, when executed, ran a remote PowerShell script that executed an advanced information stealer called Rhadamanthys.<\/p>\n

Proofpoint, a cyber security company, identified<\/a> <\/strong>the attacker as TA547 (Threat Actor 547) and said it was the first time they had used the Rhadamanthys information stealer.<\/p>\n

Rhadamantys first appeared<\/a><\/strong> on the dark web in 2022, where it is sold to cybercriminals.<\/p>\n

TA547 sent the emails, claiming to relate to invoices, under the guise of the German retail company Metro.<\/p>\n

Below is a screenshot of the email.<\/p>\n

\"\"

The email sent by TA547. Proofpoint.<\/p><\/div>\n

To create legitimacy, the ZIP file was password protected, and the email told recipients that the password was \u201cMAR26\u201d.<\/p>\n

\u201cThis PowerShell script decoded the Base64-encoded Rhadamanthys executable file stored in a variable and loaded it as an assembly into memory and then executed the entry point of the assembly,\u201d Proofpoint explained.<\/p>\n

The attackers\u2019 code could thus be executed in memory rather than written to disk, which helped the malware to go undetected by antivirus software.<\/p>\n

However, what stood out about this attack was the code itself.<\/p>\n

Proofpoint researchers noticed that the second PowerShell script contained code not conventionally used by threat actors or legitimate programmers.<\/p>\n

\u201cSpecifically, the PowerShell script included a pound sign followed by grammatically correct and hyper-specific comments above each component of the script,\u201d the Proofpoint researchers wrote.<\/p>\n

The script is shown in the image below.<\/p>\n

\"\"

The PowerShell script. Proofpoint.<\/p><\/div>\n

\u201cThis is a typical output of LLM-generated coding content and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell or copied the script from another source that had used it.\u201d<\/p>\n

An LLM is a large language model, or what most know today as OpenAI\u2019s ChatGPT, Google\u2019s Gemini, or Microsoft\u2019s CoPilot.<\/p>\n

Proofpoint mentions that although LLMs can assist threat actors in better understanding and repurposing sophisticated attack chains, using an LLM does not change the malware\u2019s functionality or efficacy.<\/p>\n

\u201cIn this case, the potentially LLM-generated code was a script which assisted in delivering a malware payload but was not observed to alter the payload itself.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"

PowerShell scripts used in a cyberattack showed striking similarities to AI-generated code.<\/p>\n","protected":false},"author":341175,"featured_media":532215,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[92837,27],"tags":[35793,83065,5244,92330,85167,58906,38324,93645],"class_list":["post-532207","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai","category-security","tag-artificial-intelligence-ai","tag-chatgpt","tag-cyber-attacks","tag-google-gemini","tag-microsoft-copilot","tag-powershell","tag-proofpoint","tag-ta547"],"_links":{"self":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/532207"}],"collection":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/users\/341175"}],"replies":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/comments?post=532207"}],"version-history":[{"count":1,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/532207\/revisions"}],"predecessor-version":[{"id":532247,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/posts\/532207\/revisions\/532247"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media\/532215"}],"wp:attachment":[{"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/media?parent=532207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/categories?post=532207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mybroadband.co.za\/news\/wp-json\/wp\/v2\/tags?post=532207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}