The evolution of artificial intelligence has led to significant progress in various sectors but has also opened the way to new attack techniques as well as the possibility of new malicious activities. In this new scenario, the "Malla" represent a emerging and sophisticated threat.
They are called MALLA, and if you haven't heard of them yet, it's because it's a fairly recent term, coined to represent services that use advanced linguistic models to automate and enhance large-scale cyber attacks.
We are talking about the black market of evil artificial intelligence and it is rapidly expanding all over the world. Cyber criminals were among the first to exploit the potential of artificial intelligence and advanced language models. Why? To offer what?
Simple: malicious services, from generating malware code to creating phishing emails, creating malicious websites, and more generally, anything that allows them to create the conditions for launching a cyber attack.
How do Mallas work? How do they compromise our safety?
We talk about it in this article by analyzing a document created by some researchers from the University of Bloomington entitled: “Demystifying Large Language Model Integrated Malicious Services".
As we anticipated, Mallas are malicious services that integrate large language models (Large Language Models, LLM) to create extremely effective attack tools. They are very different from traditional attacks since they do not require high technical skills. In fact, Mallas allow cybercriminals to exploit artificial intelligence capabilities to generate malicious code, automate campaigns Phishing and build attack infrastructures quickly and efficiently.
These services are often available on dark web marketplace, where they are sold to criminals with different skills, from novices to experts. Therefore, the Mallas ensure the lowering of the barriers to entry for cybercrime, allowing sophisticated attacks to be carried out on almost anyone with very little effort, investment and resources.
Let's see what their main use is and what are the various types of cyber attacks that they are able to generate.:
-
Malicious code generation. This is one of the most common areas of use of Mallas. Thanks to an LLM, criminals are able to create ad hoc scripts and malware to exploit specific vulnerabilities in systems. These models analyze and understand the context and technical specifications of a specific target system, generating code capable of evading traditional defenses. A real example, also documented, is that of a group of hackers who used a Malla service to build 0-day exploit. This allowed them to attack critical systems undetected for months. The code was so sophisticated that it eluded even advanced AI-based detection systems.
-
Creating Phishing Emails. This is where Mallas are extremely effective. Using natural language understanding, language models can generate emails that are perfect from a social engineer's point of view, perfectly mimicking the tone and style of corporate communications. It becomes clear that recognizing deception becomes extremely difficult.
In reality, there is a well-known case of a financial organisation which was the victim of a phishing campaign highly sophisticated. The generated emails deceived several employees, compromising the victim's infrastructure, exfiltrating sensitive information and causing the institution significant financial loss. No anti-phishing filter was able to detect the emails due to the level of sophistication and quality with which they were crafted -
Creating Phishing Sites. Another use of Mallas is to automatically create phishing websites. These are imitations of legitimate websites that aim to collect sensitive data such as login credentials, financial information and personal data. Again, the quality of the websites created is very high, making them difficult to recognize even by the most expert systems. One case that happened involved a fake e-commerce website that managed to scam thousands of customers. The site was an almost identical copy of a well-known online retailer, complete with SSL certificates and a very similar style. Users who entered their payment information were subsequently subjected to financial fraud.
-
Social Engineering Attack Automation. The Mallas are also capable of automating attacks of SOCIAL ENGINEERING. These models are capable of analyzing large volumes of data, identifying human vulnerabilities, and generating scripts that convince victims to perform compromising actions, such as clicking on malicious links or providing login credentials.
Real Example: In a campaign of spear phishing, a Malla was used to create fake social media profiles that interacted with victims for weeks, gaining their trust. Eventually, victims were tricked into transferring funds to bank accounts controlled by the hackers. The entire process was automated, minimizing human intervention by the criminals.
The emergence of Mesh has radically transformed the cybersecurity landscape. These services not only increase the effectiveness of attacks, but also make it more difficult to defend against them. The most significant impacts are:
-
Increased Frequency and Complexity of Attacks: The Mallas reduce the time and resources needed to launch complex attacks by significantly increasing their number.
-
Improved Attack Quality: The ability of LLMs to generate realistic and personalized content makes it increasingly difficult to detect and intercept the attacks themselves. Traditional defense systems, based on patterns and signatures, often fail in the face of these advanced threats.
-
Reducing the Barrier to Entry for Cybercrime: Mallas enable the democratization of cybercrime. What does this mean? It means that even criminals with limited technical skills are able to launch sophisticated attacks, resulting in an increase in the number of potential criminals.
-
Economic and Reputational Impact: Attacks made “easier” by the use of Mallas can cause significant economic damage to companies with consequent reputational damage that can lead to distrust by their customers.
To counter i Mesh it is necessary to have an advanced and multi-layered approach such as:
-
Defensive AI Development. First of all, it is necessary to fight on equal terms and, therefore, it is necessary to develop artificial intelligence systems that are able to detect and block attacks generated by these services. The AI used in the defense field is able to analyze behavioral patterns, anomalies in network traffic and other indicators of compromise (IoC) in real time, so as to be able to respond immediately to threats. An example is the use of AI platforms that are able to identify phishing attempts generated by Malla through the linguistic analysis of emails. The concept is to have a system that is able to continuously learn given the evolutionary speed of attack techniques. In this way, their detection capacity is increased, reducing the risk of compromise.
-
User Education and Awareness. Another strategy that has always been considered a key object in the field of prevention is user education. Making users aware of new attack methodologies is the basis for putting them in a position to recognize danger signals and adopt safe behaviors. From this point of view, It is important that companies define and propose continuous training programs for their employees, with simulations of phishing attacks and other practical exercises
-
International Collaboration. Today, whoever has technological power will also have political power and, therefore, since cybercrime is a global phenomenon, it has a global reach, international cooperation is required to monitor, identify and dismantle the Mallas.
For example, joint operations by Europol and cybersecurity firms have led to the seizure of servers used to operate Malla services, dismantling criminal networks and arresting those responsible. -
Development of standards and regulations. It is equally important that the use of LLMs be regulated to prevent them from being used for malicious purposes. It would be useful to introduce regulations to govern the use and development of advanced language models.
The technological wave cannot be stopped and is too often used incorrectly. We can already predict that the Mesh will become increasingly sophisticated and widespread. The Mallas' ability to create increasingly difficult-to-detect cyber attacks will grow exponentially with the growth and development of next-generation language models, such as GPT-4. It is also true, however, that, once we are aware that this new phenomenon exists and is constantly growing, it can be mitigated and reduced only through investments in new defense technologies, in user education and in international collaboration.
References
https://arxiv.org/pdf/2401.03315
https://www.darkweb-guide.com/malla-demystifying-llm-integrated-malicious-services/