TA547 [1] [2] [3] [4] [5] [6] [7] [8], a financially motivated cybercriminal threat actor [1], recently targeted German organizations with a new email campaign delivering the Rhadamanthys malware [1] [3].

Description

This marks the first observed instance of TA547 using Rhadamanthys, an information stealer previously utilized by multiple threat actors [1] [3]. The actor employed a PowerShell script suspected to be generated by large language models (LLMs) like ChatGPT [1] [3], Gemini [1] [2] [4], or CoPilot [2], as indicated by pound signs and specific comments in the code. Impersonating the German retail company Metro [1] [2] [3], TA547 sent emails containing password-protected ZIP files with LNK attachments that triggered PowerShell to execute the Rhadamanthys malware directly into system memory [2]. The campaign targeted organizations across various industries in Germany [8], using a German-language lure in the emails [8]. The attackers acted as an initial access broker for other cybercriminals [8], selling access to compromised systems [8]. The latest attack used a fileless malware technique to evade detection by endpoint security products [8]. Despite the use of LLM-generated content [1] [2], the functionality of the malware remained unchanged [1], and behavior-based detection mechanisms were still effective in defending against it. Additionally, researchers from Proofpoint have observed a malicious campaign targeting organizations in Germany [6], with TA547 using an AI-generated dropper in phishing attacks [6]. The AI-generated dropper code includes hyper-specific comments [6], indicating the use of a chatbot in its creation [6]. TA547 has been active since 2017 [5], distributing banking Trojans and transitioning to using compressed LNKs in early March [5]. Recent campaigns have targeted organizations in Spain [5], Switzerland [5], Austria [5], and the United States [5]. The group behind this campaign [7], TA547 [1] [2] [3] [4] [5] [6] [7] [8], typically used JavaScript-based loaders but has now been observed using Rhadamanthys for the first time [7], indicating its growing popularity in the cybercriminal underground [7]. The PowerShell script included specific comments above each component [7], suggesting the use of a tool to generate the code [7]. While attackers may use AI-generated code to understand competitors’ attack chains [7], it does not necessarily make detection harder and could even make it easier if detection signatures include signs of AI-generated code [7].

Conclusion

The use of Rhadamanthys by TA547 in targeting German organizations highlights the evolving tactics of cybercriminals. While the use of AI-generated code may pose challenges for detection, behavior-based mechanisms remain effective in defending against such threats. Organizations should stay vigilant and implement robust security measures to mitigate the risks posed by cybercriminal activities.

References

[1] https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer
[2] https://www.infosecurity-magazine.com/news/rhadamanthys-deployed-ta547-german/
[3] https://www.proofpoint.com/uk/blog/threat-insight/security-brief-ta547-targets-german-organizations-rhadamanthys-stealer
[4] https://uk.pcmag.com/ai/151797/an-ai-chatbot-may-have-helped-create-this-malware-attack
[5] https://www.bankinfosecurity.com/cybercrime-group-uses-likely-ai-script-to-load-infostealer-a-24825
[6] https://www.darkreading.com/threat-intelligence/ta547-uses-llm-generated-dropper-infect-german-orgs
[7] https://www.443news.com/2024/04/ai-tools-likely-wrote-malicious-script-for-threat-group-targeting-german-organizations/
[8] https://www.csoonline.com/article/2088427/ai-tools-likely-wrote-malicious-script-for-threat-group-targeting-german-organizations.html