Threat actor TA547 uses suspected LLM-generated PowerShell script to target organisations – Proofpoint
April 2024 by Proofpoint, Inc.
Threat researchers at cybersecurity company Proofpoint, today publishes new techniques from threat actor TA547, who appeared to use a PowerShell script that researchers suspect was generated by a large language model (LLM) such as ChatGPT, Gemini, CoPilot, or other.
Key findings from the research include:
• The campaign has been attributed to TA547, a financially motivated cybercriminal threat actor considered to be an initial access broker (IAB) that targets various geographic regions including organisations in Spain, Switzerland, Austria, and the U.S.
• Proofpoint researchers have observed changes in TA547’s tactics – it targeted German organisations with an email campaign delivering Rhadamanthys malware, a previously unobserved information stealer.
• Emails sent from the threat actor impersonated the German retail company Metro purporting to relate to invoices. The emails targeted dozens of organisations across various industries in Germany.
• The second PowerShell script used to load Rhadamanthys contained interesting characteristics not commonly observed in code used by threat actors or legitimate programmers, suggesting TA547 used some type of LLM-enabled tool to write or rewrite the PowerShell, or copied the script from another source that had used it.