Cybercriminals exploiting AI to enhance attack methods

HP Wolf Security's latest Threat Insights Report reveals the increasing use of malware kits and generative artificial intelligence (GenAI) by cybercriminals to enhance the effectiveness of their attacks.

The report outlines how these tools permit attackers more opportunity to test sophisticated methods, such as embedding harmful code within images on websites. This tactic improves the probability of infecting unsuspecting users.

One significant finding is the deployment of malware-by-numbers kits in different campaigns, specifically the VIP Keylogger and 0bj3ctivityStealer, which utilise similar techniques and loaders. Such actions suggest that malware kits are shared across various groups. In both campaigns, the malicious code is concealed in image files found on platforms like archive.org. This method of using images, which seem harmless when downloaded from reputable sites, helps in bypassing web proxies and avoiding detection.

Additionally, the report identifies an XWorm remote access trojan (RAT) campaign initiated via HTML smuggling. This campaign uses malicious scripts likely crafted with the assistance of GenAI to download additional harmful content. The detailed, line-by-line description of the loader indicates it may have been created using GenAI, similar to a previously observed AsyncRAT campaign.

Another threat vector noted in the report involves attackers compromising video game cheat tools and modification repositories on GitHub with Lumma Stealer malware. This infostealer collects sensitive information such as passwords and cryptocurrency wallet data from users who often disable security options to utilise these cheat tools, thereby escalating their vulnerability.

Alex Holland, Principal Threat Researcher in the HP Security Lab, remarked, "The campaigns analysed provide further evidence of the commodification of cybercrime. As malware-by-numbers kits are more freely available, affordable, and easy to use, even novices with limited skills and knowledge can put together an effective infection chain. Throw GenAI into the mix to write the scripts, and the barriers to entry get even lower. This allows groups to concentrate on tricking their targets and picking the best payload for the job – for instance by targeting gamers with malicious cheat repositories."

HP Wolf Security reports having specific insight into cybercriminal techniques via its capability to isolate threats undetected by traditional tools on PCs, allowing malware to be safely detonated. To this date, no breaches have been reported among HP Wolf Security customers, despite over 65 billion interactions with potentially risky email attachments, web pages, and downloads.

The report analyses data from the third quarter of 2024, observing that cybercriminals continue to diversify their attack methods to evade detection-based security tools. The data highlights a rise in the popularity of .lzh files, targeting mainly Japanese-speaking users, with 11% of analysed archive files being of this type.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP, commented, "Cybercriminals are rapidly increasing the variety, volume, and velocity of their attacks. If a malicious Excel document is blocked, an archive file in the next attack may slip through the net. Instead of trying to detect rapidly shifting infection methods, organizations should focus on reducing their attack surface. This means isolating and containing risky activities such as opening email attachments, clicking on links, and browser downloads to reduce the chances of a breach."

HP Wolf Security's approach involves using hardware-enforced virtual machines to run potentially risky tasks in isolation without compromising user productivity. This technology captures detailed traces of attempted infections and offers insights into cyber intrusion tactics.