Google announced Wednesday that it has discovered that an unknown attacker using experimental Visual Basic Script (VB Script) malware called PROMPTFLUX interacts with the company’s Gemini artificial intelligence (AI) model API to create its own source code to improve obfuscation and evasion.
“PROMPTFLUX is written in VBScript and interacts with Gemini’s API to request certain VBScript obfuscation and evasion techniques to facilitate ‘just-in-time’ self-modification and likely evade static signature-based detection,” Google Threat Intelligence Group (GTIG) said in a report shared with The Hacker News.
This new feature is part of the “Thinking Robot” component, which periodically queries a large-scale language model (LLM) (in this case Gemini 1.5 Flash or newer) to retrieve new code to avoid detection. This is accomplished by sending queries to the Gemini API endpoint using a hard-coded API key.
The prompts sent to the model are very specific and machine-parseable, requesting changes to the VB Script code for antivirus evasion, and instructing the model to output only the code itself.
Aside from its regeneration capabilities, the malware also establishes persistence by storing new obfuscated versions in the Windows startup folder and attempts to propagate by copying itself to removable drives and mapped network shares.
“Although the self-modifying function (AttemptToUpdateSelf) is commented out, its presence, combined with active logging of AI responses to ‘%TEMP%\ Thinking_robot_log.txt’, clearly indicates the authors’ goal of creating metamorphic scripts that evolve over time,” Google added.
The tech giant also said it discovered multiple variations of PROMPTFLUX that incorporated code regeneration by LLM, with one version using a prompt to rewrite the entire malware source code every hour by instructing LLM to act as an “expert VB script obfuscator.”
PROMPTFLUX is rated as being in the development/testing stage, and the malware currently has no means to compromise victim networks or devices. Although it is currently unclear who is behind the malware, there are indications that financially motivated attackers are targeting a wide range of users, adopting a broad approach that is agnostic to geography and industry.
Google also noted that adversaries are not only using AI for simple productivity improvements, but also creating tools that can adjust their behavior on the fly, as well as proprietary tools that are sold on underground forums for financial gain. Other examples of LLM-based malware observed by the company include:
FRUITSHELL, a reverse shell written in PowerShell that contains hardcoded prompts that bypass detection and analysis by LLM-powered security systems. PROMPTLOCK, a cross-platform ransomware written in Go that uses LLM to dynamically generate and execute malicious Lua scripts at runtime (identified as a proof of concept) Ukraine that queries Qwen2.5-Coder-32B-Instruct to generate commands to run via Hugging Face QUIETVAULT’s API. This is a credential stealer written in JavaScript that targets GitHub and NPM tokens.
From Gemini’s perspective, the company said it has observed China-linked threat actors abusing its AI tools to create persuasive decoy content, build technology infrastructure, and design tools for data breaches.
In at least one instance, the attackers allegedly reframed the prompt by identifying themselves as participants in a capture-the-flag (CTF) exercise in order to circumvent guardrails and trick the AI system into returning useful information that could be used to exploit the compromised endpoint.
“The attackers appear to have learned from this interaction and used the CTF pretext to support phishing, exploitation, and web shell development,” Google said. “The attackers prefaced many of the prompts for exploitation of specific software or email services with comments such as ‘I’m working on a CTF issue’ or ‘I’m currently on CTF and I saw someone from another team say this.’ This approach provided advice on next steps to exploit in a ‘CTF scenario.'”
Other examples of Gemini exploitation by state-sponsored actors in China, Iran, and North Korea for operational efficiency purposes such as reconnaissance, phishing lure creation, command and control (C2) development, and data theft are listed below.
Exploitation of Gemini by threat actors suspected of having ties to China for a variety of tasks, from initial reconnaissance of targets of interest and phishing techniques to delivery of payloads and requests for assistance with lateral movement and data extraction methods Exploitation of Gemini by Iranian nation-state actor APT41 to obfuscate code and assist in the development of C++ and Golang code for multiple tools, including a C2 framework called OSSTUN Gemini by Iranian nation-state Exploiting attacker MuddyWater (also known as Mango Sandstorm, MUDDYCOAST, or TEMP.Zagros) conducted research to support the development of custom malware that supports file transfer and remote execution while circumventing security walls by claiming to be a student working on a university final project or writing an article on cybersecurity Gemini by Iranian nation-state attacker APT42 (also known as Charming Kitten and Mint Sandstorm) Exploitation of Gemini by North Korean threat actor UNC1069 (aka CryptoCore or MASAN) – TraderTraitor (aka PUKCHONG or UNC4899), successor to the defunct APT38 (aka PUKCHONG or UNC4899) One of two clusters alongside BlueNoroff (UNC4899) – generates social engineering decoy materials, develops code to steal cryptocurrencies, and crafts malicious instructions disguised as software updates to extract user credentials. Exploiting Gemini to develop code, research exploits, and improve tools with TraderTraitor
Additionally, GTIG stated that it recently observed UNC1069 using deepfake images and video lures impersonating individuals in the cryptocurrency industry in social engineering campaigns to distribute a backdoor known as BIGMACHO to victims’ systems under the guise of the Zoom Software Development Kit (SDK). It is worth noting that some aspects of this activity share similarities with Kaspersky’s recently revealed GhostCall campaign.
The development comes as Google said it expects attackers to “move decisively from using AI as the exception to using it as the norm” to increase the speed, scope, and effectiveness of their operations and enable large-scale attacks.
“The increasing accessibility of powerful AI models and the growing number of companies integrating them into their daily operations creates the perfect conditions for instant injection attacks,” the report said. “Theater attackers are rapidly refining their techniques, and the low cost and high reward of these attacks makes them an attractive option.”
Source link
