The latest email campaign detected by Proofpoint used an invoice-related lure written in German that was crafted to appear as if sent by Metro, a large German retailer. Dozens of organizations from various industries in Germany were targeted.

The rogue emails contained a password-protected ZIP archive with the password provided in the email message. Inside, they had a LNK file that invoked the PowerShell runtime to execute a remotely-hosted script.

Tactic evaded file-based detection engines of endpoint security

The goal of this secondary script was to decode using Base64 an executable file for the Rhadamanthys infostealer that was stored in a variable and then load it directly into memory and execute it without writing it to disk. This type of fileless malware technique is commonly used to evade the file-based detection engines of endpoint security products.

Because its purpose is to load a malware payload onto the system, the PowerShell script in this case is referred to as a malware loader. As mentioned, TA547 previously preferred JavaScript-based loaders and this is also the first time when the group has been seen using Rhadamanthys, though not unusual since this infostealer is gaining popularity in the cybercriminal underground.

Contents of script point to evidence of LLM involvement

“The PowerShell script included a pound sign followed by grammatically correct and hyper-specific comments above each component of the script,” the Proofpoint researchers said. “This is a typical output of LLM-generated coding content and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell or copied the script from another source that had used it.”

While attackers can use LLMs to better understand the attack chains of their competitors to improve or even craft their own, the use of LLMs doesn’t necessarily make detection harder. If anything, it could make it easier if some of the signs of AI-generated code are added to detection signatures.