HQ/EMEAFind out how we can help your business
A discovery has identified that threat actors can use AI models to generate various types of malware variants that can mostly bypass security detections.
The researchers discovered that large language models (LLMs) can produce thousands of new types of malicious JavaScript code that are more difficult to detect. Although LLMs struggle to develop malware from the start, criminals can simply leverage them to rewrite or obfuscate existing malware, making it more difficult to identify.
Criminals might instruct LLMs to do modifications that appear more natural, making malware identification for security solutions more challenging.
With enough modifications over time, this new strategy may have the advantage of decreasing the performance of malware classification algorithms. This tactic can lead these solutions to believe that a piece of malicious code is harmless.
Hackers have offered AI models that exclusively create malware.
AI models offered by LLM providers have increasingly implemented security safeguards to prevent their solutions from deviating and producing unintended results. However, threat actors have advertised tools such as WormGPT as a way to automate the process of crafting convincing phishing emails and even creating new malware strains.
In October last year, OpenAI announced that it had prevented over 20 activities and deceptive networks that attempted to exploit its platform for various cybercriminal activities, such as reconnaissance, vulnerability research, scripting support, and debugging.
A researcher stated that it used the power of LLMs to iteratively rewrite existing malware samples in order to avoid detection by machine learning (ML) models. This activity paved the way for creating 10,000 novel JavaScript variants without changing functionality.
When malware is input into the system, the adversarial machine learning technique modifies it using various methods, including trash code insertion, variable renaming, string splitting, removal of unneeded whitespaces, and a complete reimplementation of the code.
Furthermore, script artefacts remain undetected by other malware analysers when uploaded to the VirusTotal platform.
Another significant advantage of LLM-based obfuscation is that its rewrites appear far more natural than those achieved by libraries. Hence, they are easier to detect and fingerprint because they introduce changes to the source code.
Therefore, security and LLM providers should assess the current situation of these malicious activities to counteract the growing number of threat actors that exploit AI for their cybercriminal activities.
