AI-Generated Malware Used in Targeted Attacks Against French Users
Analysts at HP Wolf Security have investigated recent attacks targeting French users and discovered that the AsyncRAT malware is being distributed using malicious code clearly created with the help of artificial intelligence (AI). Previously, cybersecurity experts had warned that cybercriminals could use generative AI to craft convincing phishing emails, voice deepfakes, and other illicit tools. Now, AI is also being used to develop malware itself.
Earlier this year, researchers from Proofpoint reported that a PowerShell script, likely generated by a large language model (LLM), was being used to spread the Rhadamanthys infostealer. A similar case was observed by HP Wolf Security specialists in early June. In this campaign, which targeted French users, hackers employed an HTML smuggling technique.
Attack Overview
The attacks began with standard phishing emails containing a lure in the form of an encrypted HTML invoice attachment. “In this case, the attackers embedded an AES key in the JavaScript within the attachment. This is uncommon and was the main reason we paid attention to this threat,” the experts explained. They added that they were able to bypass the encryption using brute force, as they knew the decrypted file should be a ZIP archive.
AES in JavaScript
The decrypted attachment contained a VBScript. Upon analysis, it was found that “the attacker had thoroughly commented and structured the entire code,” which is rare for human-written malware (as attackers usually try to obscure how their malware works). The VBScript was designed to establish persistence on the infected machine by creating scheduled tasks and new Windows registry keys.
“These comments described in detail the purpose of each part of the code. This is typical of generative AI services when they provide code examples with explanations,” the experts noted. They also pointed out that the script’s structure, the comments for each line, and the use of French for function and variable names all indicated AI involvement.
Malicious Code Written by AI
Ultimately, AsyncRAT was downloaded and executed on the victim’s system. AsyncRAT is open-source malware that can log keystrokes, establish encrypted connections with the victim’s machine, and download additional payloads.
The researchers concluded that generative AI can help low-skilled criminals write malware in just minutes and adapt it for attacks on various platforms (Linux, macOS, Windows, etc.). Even if experienced attackers don’t use AI for actual development, they can leverage it to speed up their work.