Latest HP Wolf Security Threat Report Reveals AI Attacks

Be sure to check out Keypoint Intelligence's Cybersecurity page!

We have been warning for some time now that artificial intelligence (AI) changes the cybersecurity threat landscape by allowing even unsophisticated bad actors to launch attacks easily, quickly, and repeatedly with relatively little effort. Alas, now we have proof.

The September 2024 edition of the HP Wolf Security Threat Insights Report, which provides in-depth analysis of the latest cybersecurity trends and threats, revealed evidence of cybercriminals’ use of generative AI (GenAI) in crafting malicious code. This allows them to become increasingly adept at evading security measures many organizations may have in place to thwart attacks. Such activity was particularly evident in the detection of a malware campaign using AsyncRAT—where the structure, comments, and choice of function names in the VBScript and JavaScript strongly suggest GenAI was involved. The use of AI in this context lowers the bar for cybercriminals, making it easier to generate complex malware scripts that can evade traditional detection systems.

The HP report also details other emerging threats detected by the team, including:

• Evolving ChromeLoader Malware Techniques: ChromeLoader, a browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites, continues to evolve. HP’s research shows that attacks are becoming more widespread and polished. Initially used to target users seeking pirated software (so, you know, they sort of deserved it), the new ChromeLoader campaigns now exploit legitimate-looking installers for commonly searched productivity tools, such as free PDF converters. By leveraging valid code-signing certificates and using malvertising techniques, ChromeLoader can evade detection by security systems like Windows AppLocker. The malware persists by installing a browser extension and continually hijacks browsing sessions to redirect users to malicious websites.
• Exploiting Uncommon Vectors: Scalable vector graphic (SVG) malware attacks have been a growing concern for several years. The SVG format is common in web and graphic design, and many companies use SVG graphics in legitimate email correspondence (for example, to show the image of an invoice). Unfortunately, the SVG format supports embedded JavaScript, which lets cybercriminals embed a malicious payload. Teams from HP and other organizations have detected sophisticated SVG attacks in the wild. Clicking on a compromised SVG file leads to the installation of multiple malware families, including Venom RAT and XWorm. This tactic represents a growing trend of targeting unconventional file formats to bypass traditional security measures.
• PDF Files as a Delivery Mechanism: Aggah is a well-known threat group known for their persistent and sophisticated attacks, often using weaponized Office documents. Apparently, business is good and the franchise is expanding to malicious PDF files as the initial infection vector. In a campaign identified by HP, users are lured into downloading what they think is a harmless PDF, but it’s actually a Visual Basic Script (VBS) file bearing malware. The payload from these campaigns generally includes credential stealers or remote access trojans (RATs). This shift exemplifies how cybercriminals continuously adapt their tactics to circumvent security tools that have been hardened against well-known vectors, such as Office macros.
• Prevalence of Archive-Based Threats: Archive files (e.g., .zip files) regained their status as the most popular malware delivery type in HP’s research, comprising almost 40% of threats identified. Attackers continue to embed malicious scripts within password-protected archives, making it more difficult for traditional scanners to detect the threats.

Email Is the Main Culprit

The HP report also noted that email remains the primary vector for delivering malware, accounting for 61% of detected threats. A significant portion of these (12%) successfully evaded email gateway scanners, highlighting the ongoing challenges organizations face in securing their email infrastructure. A range of defense-evasion techniques used by threat actors to avoid detection were noted in the report. For example, the Aggah campaign disables Microsoft’s Antimalware Scan Interface (AMSI) and Microsoft Defender before deploying its payload. Additionally, the use of code-signing certificates—particularly in the ChromeLoader campaign—allows malware to pass through security policies that typically block unsigned code. These tactics point to a growing trend of attackers not only focusing on evasion, but also persistence and lateral movement within compromised networks.

Keypoint Intelligence Opinion

In the never-ending game of cat-and-mouse, cybercriminals are innovating new attack methods to stay ahead of cybersecurity defenses. The use of GenAI to write malware, the increasing sophistication of browser-based attacks, and the reliance on unconventional file formats all underscore the necessity for organizations to take a layered approach to cybersecurity and strengthen their endpoint protection so that if a malware payload does get through, it can be stopped before the harm spreads. For example, HP Wolf Security’s hardware-enforced isolation techniques (available in the company’s business-class PCs and laptops) will automatically contain a detected threat within a micro-virtual machine “sandbox” on the infected machine, preventing it from spreading or causing damage.

Organizations can take other steps, as well, such as contracting with a leading threat intelligence services provider that will collect, analyze, and distribute information about the latest threat actors, tactics, techniques, and procedures in real-time. Most importantly, organizations need to continually train employees to be vigilant against phishing and social engineering attacks—especially since email remains the most common vector for attacks.

How well are various MFP OEMs securing their devices against potential vulnerabilities? Visit our MFP Security Validation testing page to find out!

Browse through our Industry Reports Page (latest reports only). Log in to the InfoCenter to view research on cybersecurity through our Workplace CompleteView Advisory Service. If you’re not a subscriber, contact us for more info by clicking here.