The most recent e-mail marketing campaign detected by Proofpoint used an invoice-related lure written in German that was crafted to look as if despatched by Metro, a big German retailer. Dozens of organizations from varied industries in Germany have been focused.
The rogue emails contained a password-protected ZIP archive with the password supplied within the e-mail message. Inside, that they had a LNK file that invoked the PowerShell runtime to execute a remotely-hosted script.
Tactic evaded file-based detection engines of endpoint security
The purpose of this secondary script was to decode utilizing Base64 an executable file for the Rhadamanthys infostealer that was saved in a variable after which load it immediately into reminiscence and execute it with out writing it to disk. This kind of fileless malware method is usually used to evade the file-based detection engines of endpoint security merchandise.
As a result of its goal is to load a malware payload onto the system, the PowerShell script on this case is known as a malware loader. As talked about, TA547 beforehand most well-liked JavaScript-based loaders and that is additionally the primary time when the group has been seen utilizing Rhadamanthys, although common since this infostealer is gaining reputation within the cybercriminal underground.
Contents of script level to proof of LLM involvement
“The PowerShell script included a pound signal adopted by grammatically right and hyper-specific feedback above every part of the script,” the Proofpoint researchers stated. “This can be a typical output of LLM-generated coding content material and suggests TA547 used some kind of LLM-enabled instrument to jot down (or rewrite) the PowerShell or copied the script from one other supply that had used it.”
Whereas attackers can use LLMs to raised perceive the assault chains of their opponents to enhance and even craft their very own, using LLMs doesn’t essentially make detection tougher. If something, it might make it simpler if a few of the indicators of AI-generated code are added to detection signatures.