An ongoing trojan malware campaign designed to take control of systems and steal sensitive information is being generated with the aid of AI, researchers have said.
PureRAT is a full-featured remote access trojan (RAT) and infostealer which first emerged last year. It has recently been spotted being distributed via malicious links in phishing emails which pose as job opportunities.
Analysis by Symantec and Carbon Black Threat Hunter Team has concluded that the cybercriminals behind PureRAT are using AI tools to write scripts and code. One of the reasons for this conclusion is that sections of the code powering PureRAT contain emojis.
“Many AIs have a tendency to insert emojis in code comments because they’ve been trained using data from social platforms such as Reddit,” researchers said.
In addition, sections of the code appear to contain explanatory comments, debug messages and reminders. For example, one section of the code contains the line “Remember to paste the base64-encoded HVNC shellcode here”.
It’s likely that these are instructions by an AI tool which those behind PureRAT have failed to remove from the scripts.
“Aside from Emojis, detailed comments on nearly every line of the script are usually a giveaway that it was authored by AI. While we do see attackers occasionally leaving notes for themselves, we’d hardly ever see something like a full sentence,” Dick O’Brien, principal intelligence analyst for the Symantec and Carbon Black Threat Hunter Team told Infosecurity.
Nonetheless, despite the leftover AI-generated instructions, PureRAT is a potent, widely distributed malware threat. The malware provides cybercriminals with the ability to stealthy maintain a remote presence on an infected machine, which the attackers can use to either steal data for themselves or sell access to compromised machines to others.
“The attacker may be casting their net for jobseekers in multiple countries in the hope that they open the emails on their work computer,” said the research paper.
“The attacker’s usage of AI provides further evidence that the technology is being used by lower-skilled attackers to assist with developing tools and automating their attacks,” it added.
According to Symantec and Carbon Black, there is evidence that the attacker behind PureRAT is based in Vietnam. This conclusion has been reached because of the use of the Vietnamese language throughout the scripts, both in the code and in the comments left by AI tools. There are also references to Hanoi, the Vietnamese capital.
PureRAT isn’t the first malicious cyber operation to emerge from Vietnam. In recent years, several cybercriminal campaigns have been attributed to cyber gangs working out of the country – including one which distributed malware via adverts for fake AI video generation tools.