HP has unveiled its latest Threat Analysis Report that reveals how attackers are using generative AI to help write malicious code. HP's threat research team has uncovered a sophisticated ChromeLoader campaign that spreads through malicious advertising, directing users to fake professional-looking PDF tools. In addition, they have identified cybercriminals embedding malicious code in SVG images.

The report provides a detailed analysis of real-world cyberattacks, helping organizations stay up-to-date with the latest techniques that cybercriminals employ to evade detection and compromise computers in the dynamic cybercrime landscape. Based on data from millions of endpoints running HP Wolf Security, HP threat researchers have identified several notable campaigns, including:

  • Generative AI aids malware development: Cybercriminals already use GenAI to create convincing phishing attacks, but to date, there is little evidence of threats using GenAI tools to write code. The structure of the scripts, the comments explaining each line of code, and the choice of function and variable names in the native language indicate that the threat author used GenAI to create the malware. The attack infects users with AsyncRAT, a free and easily accessible malware that can record victims' screens and keystrokes. This activity demonstrates how GenAI makes it easier for cybercriminals to infect endpoints.
  • Malicious advertising campaigns leading to fake but functional PDF tools: ChromeLoader campaigns are becoming larger and more sophisticated, relying on malvertising around popular search keywords to direct victims to well-designed websites offering functional tools such as PDF readers and converters. These functional applications hide malicious code in an MSI file, while valid code signing certificates bypass Windows security policies and user warnings, increasing the chances of infection. Installing these fake applications allows attackers to take control of victims' browsers and redirect searches to attacker-controlled sites.
  • Hiding malware in images of scalable vector graphics (SVG): Some cybercriminals are bucking the trend by moving from HTML files to vector images for smuggling malware. Vector images, widely used in graphic design, often use the XML-based SVG format. Since SVGs open automatically in browsers, any embedded JavaScript code is executed when viewing the image. While victims think they are viewing an image, they are interacting with a complex file format that leads to the installation of multiple types of infostealer-type malware.

Patrick Schläpfer, Principal Threat Researcher at HP Security Lab, commented, "The speculations about attackers' use of AI are numerous, and even though testing has been limited, it makes this finding significant. Attackers generally prefer to hide their intentions, not to reveal their methods, so this behavior suggests that an AI assistant was used to help write the code. These capabilities further lower the barrier of entry for threat actors, allowing novices without coding skills to write scripts, develop infection chains, and launch more damaging attacks."

By isolating threats that have eluded detection tools on PCs but allowing malware to execute safely, HP Wolf Security has specific insight into the latest techniques used by cybercriminals. HP Wolf Security customers have clicked on over 40 billion email attachments, web pages, and downloaded files without any reported breaches.

The report, which examines Q2 2024 data, details how cybercriminals continue to diversify attack methods to circumvent security policies and detection tools, such as:

At least 12% of email threats detected by HP Sure Click circumvented one or more email gateway-type security detections, the same as in the previous quarter.

The top threat vectors were email attachments (61%), downloads from browsers (18%), and other infection vectors, such as removable storage (USB sticks) and file shares (21%).
Archives were the most common malware delivery method (39%), of which 26% were ZIP files.

Dr. Ian Pratt, global head of security for Personal Systems at HP, said, "Attackers are constantly evolving, using AI to refine their attacks or developing malicious tools that evade detection. Therefore, enterprises must strengthen their resilience by closing as many common attack paths as possible. Adopting a defense-in-depth strategy, including isolating high-risk activities such as opening email attachments or web downloads, helps reduce the attack surface and neutralize the risk of infection."

HP Wolf Security executes risky tasks on isolated, hardware-enforced virtual machines running on the endpoint to protect users without impacting productivity. It also captures detailed traces of infection attempts. HP's application isolation technology mitigates threats that may escape other security tools and provides unique insights into intrusion techniques and threat actor behavior.