Cybersecurity researchers recently exposed a dangerous new tactic used by cybercriminals that involves deploying HTML-based prompt injections in emails. For TrendMicro’s Ryan Flores and Bakuei Matsukawa, they found a new way to do this. Using hidden code, they develop an elaborate malware dubbed MalTerminal. These broken systems lay the groundwork for this malware to morph into ransomware and reverse shell attacks — serious dangers to computer networks and infrastructure.
Our research found that shady email correspondence often masquerades as normal billing discrepancies from business associates. They lure victims into opening HTML attachments. Within this code lies a prompt injection stealthily hidden by the style attribute set to “display:none; color:white; font-size:1px;”. This tactic provides attackers a powerful way to deceive unsuspecting victims, creating detection of these threats even harder.
Concealed Threats and Their Mechanisms
The method employed in the emails is especially worrisome, thanks to its crafty hiding of malicious code. The invocations of prompt injection are masked by the style attribute used, rendering it undetectable to the recipients and rudimentary scanning tools. By showing a seemingly innocent interface, the attackers trick the victims into being more relaxed and increase the opportunities for relevant infiltration.
The HTML attachment only increases the confusion. This attack not only contains the prompt injection we’ve explained above, but encourages users to choose between deploying “ransomware” or a “reverse shell.” However, as the researchers observed, many Python scripts functionally replicate the capabilities of the executable file, adding even more layers of threat.
“Victims are first shown a CAPTCHA, lowering suspicion, while automated scanners only detect the challenge page, missing the hidden credential-harvesting redirect,” – Ryan Flores and Bakuei Matsukawa
Underscoring this change, we see a key trend in malware deployments. Psychological warfare is not new and attackers have always complemented the technical attack with tactics to increase effectiveness.
Advanced Detection Tools
Initially, in reaction to these changing threats, cybersecurity professionals produced an array of defensive techniques. One such tool is FalconShield, which scans Python files to identify malicious patterns. Using a general-purpose GPT model FalconShield is able to instantly scan and flag harmful files. If a file is determined to be malicious, it produces an in-depth malware analysis report.
It was SentinelOne’s researchers—Alex Delamotte, Vitaly Kamluk, and Gabriel Bernadett-Shapiro—who expanded this field by testing LLM-enabled malware. Upon exploring, they realized that MalTerminal had an OpenAI chat completions API endpoint. This endpoint was deprecated in early November 2023, meaning MalTerminal’s origins would have had to predate this point by a good margin.
“MalTerminal contained an OpenAI chat completions API endpoint that was deprecated in early November 2023, suggesting that the sample was written before that date and likely making MalTerminal the earliest finding of an LLM-enabled malware,” – Alex Delamotte, Vitaly Kamluk, and Gabriel Bernadett-Shapiro
The Implications of LLM-Enabled Malware
The rise of LLM-enabled malware represents a major advancement in the cyber offense ecosystem. The use of advanced language models in malware, as reported by several outlets, is a new frontier in adversarial tactics. Adversaries are already leveraging these models’ capabilities to develop more advanced systems with increased difficulty to detect and analyze.
Ryan Flores and Bakuei Matsukawa shed light on a disturbing pattern. Attackers are leveraging the rapid deployment, free hosting, and seemingly credible branding of these platforms to increase the efficacy of their attacks. This trend poses even greater security threats to people and businesses alike. It underscores the urgent need for more protective — not just defensive — measures in our cyberdefenses.
“The incorporation of LLMs into malware marks a qualitative shift in adversary tradecraft,” – SentinelOne