Traditional malware techniques are increasingly taking advantage of interest in ChatGPT and other generative AI programs, according to a Palo Alto Networks report on malware trends.\n\n\u201cBetween November 2022-April 2023, we noticed a 910% increase in monthly registrations for domains, both benign and malicious, related to ChatGPT,\u201d according to the latest Network Threat Trends Research Report from Unit 42, the threat research arm of Palo Alto Networks.\n\nThe report, released Tuesday, is based on threat intelligence from various products including the Palo Alto Networks Next-Generation Firewall (NGFW), Cortex Data Lake, Advanced URL Filtering and Advanced WildFire, leveraging telemetry from 75,000 customers globally.\n\nThe cybersecurity firm observed a jump in the last few months in attempts to mimic the ChatGPT interface through squatting domains \u2014website names that are deliberately crafted to be similar to those of popular brand or products, in order to deceive people.\n\n[ Related reading: ChatGPT creates mutating malware that evades detection by EDR ]\n\n\u201cSquatting domains can cause security risks and consumer confusion while creating opportunities for malicious actors to profit, such as through advertising revenue or scam attacks,\u201d Palo Alto Networks said in the report. \n\nThe popularity of ChatGPT has also led to the appearance of related grayware, which is software that falls somewhere between malicious and benign. This category includes adware, spyware, and potentially unwanted programs. Grayware might not be explicitly harmful, but it can still cause issues or invade peoples\u2019 privacy.\n\n\u201cIt suggests that cybercriminals are looking to exploit the popularity of ChatGPT to spread potentially unwanted or harmful software,\u201d Palo Alto Networks said in the report. \n\nThe firm says that organizations can prepare for attacks by such software by continuing to employ defense-in-depth best practices. \u201cSecurity controls that defend against traditional attacks will be an important first line of defense against any developing AI-related attacks going forward,\u201d Palo Alto Networks said in the report. \n\nVulnerability exploits increase\n\nIn its report, Palo Alto Networks also said that there was a 55% increase in vulnerability exploitation attempts, per customer, on average, last year.\n\nMuch of this increase can be attributed to the rise in exploitation attempts using the Log4j and Realtek supply-chain vulnerabilities. \u201cWe continue to find that vulnerabilities using remote code execution (RCE) techniques are being widely exploited, even ones that are several years old,\u201d Palo Alto Networks said.\n\nTo ensure that old and new vulnerabilities are patched regularly, organizations should implement a comprehensive vulnerability management program that includes regular vulnerability assessments, scanning, and prioritization of vulnerabilities based on risk levels, according to the company.\n\n\u201cDevelop a well-defined patch management process that includes the identification, testing, deployment, and verification of patches across all systems and applications. Continuously monitor new vulnerabilities by subscribing to vulnerability feeds, and security advisories, and staying updated on the latest threat intelligence,\u201d said Royce Lu, distinguished engineer at Palo Alto Networks. \n\n\u201cDevelop a risk-based approach to prioritize vulnerabilities based on their severity, potential impact, and exploitability. Focus on patching critical vulnerabilities that could have the most significant impact on the organization's systems and data,\u201d Lu said. \n\nEmails with PDFs used as initial infection vector\n\nMeanwhile, emails with PDF attachments remain a popular initial attack vector among attackers to spread malware.\n\n\u201cPDFs are a common initial vector used by threat actors thanks to their wide usage and popularity in organizations. PDFs are commonly sent as email attachments, making them an effective delivery mechanism for malware,\u201d Lu said. \n\nPDFs are the primary malicious email attachment type being used in 66% of the cases where malware was delivered via email, according to the Palo Alto Networks report. \n\nPDF files are widely used for document sharing and distribution across various platforms. They are designed to be cross-platform compatible, meaning they can be opened and viewed on different browsers, operating systems, and devices. \u201cThis versatility makes them an attractive choice for threat actors as they can target a wide range of potential victims across various platforms,\u201d Lu said. \n\nPDFs can also be crafted to deceive users through social engineering techniques. Threat actors often use enticing subject lines, appealing visuals, or misleading content to get users to open a PDF file, which may contain phishing links, hidden malware, or exploit techniques, Lu said. \n\nThe thresat report also noted that threat actors also catch victims off-guard by using Injection attacks \u2014 where attackers search for vulnerabilities in websites or in third-party plugins and libraries and exploit them to insert a malicious script into legitimate websites. \u201cWebsites created using WordPress have become a favorite target,\u201d Palo Alto Networks said, adding that this could be an indicator that one or more vulnerable third-party plugins could have allowed threat actors to perform malicious script injections. \n\nRamnit malware family variants most used\n\nIn terms of most commonly used malware, Palo Alto Networks observed that variants of Ramnit were the most commonly deployed malware family last year.\n\n\u201cWhile reviewing tens of thousands of malware samples from our telemetry, we found that the Ramnit malware family had the most variants in our detection results,\u201d Palo Alto said in the report. \n\nRamnit is a widespread malware strain that has been active since 2010. It started as a worm and banking Trojan but has evolved into a multifunctional malware strain. It targets online banking portals and injects malicious code into web browsers. \u201cThis code captures user inputs, such as login credentials, banking details, and transaction data, allowing threat actors to gain unauthorized access to victims' financial accounts,\u201d Lu said. \n\nRamnit infects systems by exploiting vulnerabilities or utilizing social engineering techniques to trick users into executing malicious files or visiting compromised websites. \u201cOnce inside a system, Ramnit establishes persistence by creating registry entries or adding itself to startup processes, ensuring that it remains active even after system reboots,\u201d Lu said. \n\nRamnit can transform infected systems into a botnet. It establishes a command and control (C&C) infrastructure that allows threat actors to remotely control and coordinate the actions of the compromised machines. This enables them to issue commands, deliver updates, and orchestrate various malicious activities across the botnet, Lu said. \n\nCritical infrastructure, Linux are popular targets\n\nPalo Alto Networks also saw the average number of attacks experienced per customer in the manufacturing, utilities, and energy industry increase by 238% last year.\n\nThe firm also observed that Linux malware is on the rise. Attackers are looking for new opportunities in cloud workloads and IoT devices that run on Unix-like operating systems, Palo Alto Networks said. \n\n\u201cThe growing prevalence of this family of operating systems among mobile and 'smart' devices could explain why some attackers are turning their eyes toward Linux systems,\u201d Palo Alto Networks said in the report. \n\nFor 2023, Palo Alto Networks predicts that evasive threats will continue to become increasingly complex, spreading malware through vulnerabilities will continue to increase, and encrypted malware will keep increasing.