HP finds AI-generated malware targets French speakers

New research from HP's Threat Research team reveals how cybercriminals are leveraging generative AI (GenAI) to create malicious code.

The report highlights that the structure of the malware, comments explaining each line of code, and the use of native language function names and variables suggest that GenAI was used in a recent attack targeting French speakers.

This finding indicates that GenAI is facilitating cybercriminal activities by making it easier for less technically skilled individuals to develop and deploy malware. Patrick Schläpfer, Principal Threat Researcher in the HP Security Lab, stated, "Speculation about AI being used by attackers is rife, but evidence has been scarce, so this finding is significant. Typically, attackers like to obscure their intentions to avoid revealing their methods, so this behaviour indicates an AI assistant was used to help write their code. Such capabilities further lower the barrier to entry for threat actors, allowing novices without coding skills to write scripts, develop infection chains, and launch more damaging attacks."

One of the noteworthy threats detailed in the report involves the ChromeLoader malware campaign. HP found this campaign is becoming more sophisticated and widespread, employing malvertising tactics to direct victims to well-designed websites that offer fake tools such as PDF converters. These seemingly legitimate applications, delivered as MSI files, execute malicious code upon installation. Consequently, a browser extension is installed that allows attackers to control the victim's browsing session and redirect searches to sites managed by the attackers.

The report also documented a shift in technique among some cybercriminals who are opting to embed malware in Scalable Vector Graphics (SVG) images instead of HTML files. SVG images, commonly used in graphic design, automatically open in browsers. Therefore, any JavaScript code embedded within these images is executed upon viewing, leading to the installation of various infostealer malware types. Victims, thinking they are merely viewing an image, are unknowingly interacting with a file format designed to deliver malware.

Further insights from the report, which examines data from the second quarter of 2024, show that:

- At least 12% of email threats identified by HP Sure Click bypassed one or more email gateway scanners, consistent with the previous quarter.

- The top threat vectors were email attachments (61%), downloads from browsers (18%), and other infection vectors, such as removable storage devices and file shares (21%).

- Archives emerged as the most popular type of malware delivery, accounting for 39% of the instances, with 26% of these being ZIP files.

Dr. Ian Pratt, Global Head of Security for Personal Systems at HP Inc., commented on the findings: "Threat actors are constantly updating their methods, whether it's using AI to enhance attacks, or creating functioning-but-malicious tools to bypass detection. So, businesses must build resilience, closing off as many common attack routes possible. Adopting a defence-in-depth strategy — including isolating high-risk activities like opening email attachments or web downloads — helps to minimise the attack surface and neutralise the risk of infection."

HP Wolf Security isolates threats that evade detection tools on PCs while allowing malware to detonate safely. This approach offers specific insights into the latest techniques used by cybercriminals. According to HP, its Wolf Security customers have clicked on over 40 billion email attachments, web pages, and downloaded files without reported breaches. This data, gathered from millions of endpoints running HP Wolf Security, provides a comprehensive understanding of the evolving cyber threat landscape.