HP recently released its latest Threat Insights Report which reveals how attackers are using generative AI to help write codes for dangerous malware. HP’s threat research team has discovered that a large and refined ChromeLoader campaign spread through malvertising that led to professional-looking rogue PDF tools and identified cybercriminals embedding dangerous code in SVG images. The report provides an analysis of real-world cyberattacks, helping organisations to keep up with the latest techniques cyber criminals are using to evade detection and breach PCs in the fast-changing cybercrime landscape. Based on data from millions of endpoints running HP Wolf Security, here are the notable campaigns identified by HP threat researchers include:
How gen AI is helping in malware development
Cybercriminals are already using GenAI to create convincing phishing lures but to date, there has been limited evidence of threat actors using GenAI tools to write code. The team identified a campaign targeting French speakers using VBScript and JavaScript believed to have been written with the help of GenAI. The structure of the scripts, comments explaining each line of code, and the choice of native language function names and variables are strong indications that the threat actor used GenAI to create the malware. The attack infects users with the freely available AsyncRAT malware, an easy-to-obtain infostealer which can record victim’s screens and keystrokes. The activity shows how GenAI is lowering the bar for cybercriminals to infect endpoints.
Malvertising campaigns leading to hostile PDF tools
ChromeLoader campaigns are becoming bigger and increasingly polished, relying on malvertising around popular search keywords to direct victims to well-designed websites offering functional tools like PDF readers and converters. These working applications hide malicious code in an MSI file, while valid code-signing certificates bypass Windows security policies and user warnings, increasing the chance of infection. Installing these fake applications allows attackers to take over the victim’s browsers and redirect searches to attacker-controlled sites.
This logo hides malware in Scalable Vector Graphics (SVG) images
some cyber criminals are bucking the trend by shifting from HTML files to vector images for smuggling malware. Vector images, widely used in graphic design, commonly use the XML-based SVG format. As SVGs open automatically in browsers, any embedded JavaScript code is executed as the image is viewed. While victims think they’re viewing an image, they are interacting with a complex file format that leads to multiple types of infostealer malware being installed.
How hackers are diversifying their attack methods
How gen AI is helping in malware development
Cybercriminals are already using GenAI to create convincing phishing lures but to date, there has been limited evidence of threat actors using GenAI tools to write code. The team identified a campaign targeting French speakers using VBScript and JavaScript believed to have been written with the help of GenAI. The structure of the scripts, comments explaining each line of code, and the choice of native language function names and variables are strong indications that the threat actor used GenAI to create the malware. The attack infects users with the freely available AsyncRAT malware, an easy-to-obtain infostealer which can record victim’s screens and keystrokes. The activity shows how GenAI is lowering the bar for cybercriminals to infect endpoints.
Malvertising campaigns leading to hostile PDF tools
ChromeLoader campaigns are becoming bigger and increasingly polished, relying on malvertising around popular search keywords to direct victims to well-designed websites offering functional tools like PDF readers and converters. These working applications hide malicious code in an MSI file, while valid code-signing certificates bypass Windows security policies and user warnings, increasing the chance of infection. Installing these fake applications allows attackers to take over the victim’s browsers and redirect searches to attacker-controlled sites.
This logo hides malware in Scalable Vector Graphics (SVG) images
some cyber criminals are bucking the trend by shifting from HTML files to vector images for smuggling malware. Vector images, widely used in graphic design, commonly use the XML-based SVG format. As SVGs open automatically in browsers, any embedded JavaScript code is executed as the image is viewed. While victims think they’re viewing an image, they are interacting with a complex file format that leads to multiple types of infostealer malware being installed.
How hackers are diversifying their attack methods
- At least 12% of email threats identified by HP Sure Click bypassed one or more email gateway scanners, the same as the previous quarter.
- The top threat vectors were email attachments (61%), downloads from browsers (18%) and other infection vectors, such as removable storage – like USB thumb drives and file shares (21%).
- Archives were the most popular malware delivery type (39%), 26% of which were ZIP files
