AI-driven smart malware – Next generation of threats

cyber forensics

Recent developments in Artificial intelligence (AI) have a vast transformative potential for cybersecurity defenders and cybercriminals. Anti-malware solutions adopt intelligent techniques such as artificial neural networks to recognize new and unknown malware codes and prevent threats to the digital space.

Dramatic advances in ML and AI has made a significant shift in the IT industry. Consequently, cybercriminals are also aware of the benefits of AI and may try to use it to their advantage and weaponize it.

Cybercriminals are aware of the new prospects, too, and will probably try to use it in their activities, especially to power a malicious program that is autonomous and intelligent to evade anti-malware tools.

Therefore, it is logical to expect AI-driven malware to develop shortly. To be ready for the new threat, it is necessary to research how threat actors could use AI for malicious purposes.

With the support of AI, the new generation of malware will be smarter and capable of operating autonomously. It is reasonable to expect malware in the future could be aware of its environment and make calculated decisions about what to do base on the situation.

Here are some directions that attackers can exploit:

  • Dodge sandbox detection: a malware inmate as a legitimate program when analyzed by a detection tool and performs the malicious activities only when running on an actual user’s device. Cybercriminals program them to act with different behaviors based on the environment in which they are executing. Consequently, this is a useful technique for malware programs to avoid detection for as long as possible. The defensive program categorizes the program as benign so that it can execute; meanwhile, it can continue to perform malicious activities. If the malware embraces intelligent techniques, then it can autonomously decide how to react depending on the environmental factors it faces.
  • Using previous data to evade detection: Based on the data from preceding campaigns and the analysis of security tools, malicious actors could apply ML to develop and implement advanced obfuscation techniques to evade detection.
  • Adapt to the environment: AI-powered malware will be capable of adapting to the surroundings where it executes. The malware will exploit the vulnerabilities or disguise itself as a trusted system element by learning from contextual information. The longer the threat can exist in the host, the more it becomes independent, integrating into its environment, selecting tools, and taking countermeasures against security tools.
  • Generate new malware variants: Attackers can generate automated code, insert it into files and change the malware to evade detection algorithms. For example, the malware family Swizzor was using automation to generate new variants of themselves. This technique can be reused and enhanced using ML algorithms to discover which variations are less likely to be discovered and create new strains with similar characteristics.
  • Anti-reversing by using backbox technique: A threatening aspect of AI-embed malware is that it could implement the “black box” technique (i.e., neural networks) to hide its malicious payload. Analysts usually use reverse engineering tools to analyze and record malware. However, neural networks are complicated to reverse, which makes attackers easier to evade security tools and experts.

The future of AI-driven malware

With the support of AI, the new generation of malware will be smarter and capable of operating autonomously. It is reasonable to expect malware in the future could be aware of its environment and make calculated decisions about what to do base on the situation.

Smarter malware

Shortly, malware could propagate based on a sequence of autonomous decisions, intelligently custom-made to the parameters of the host system. This kind of malware operates similarly to branch prediction technology, which betters over time when making a prediction base on a conditional action it has seen before. We can imagine a scenario in which malware can choose lateral movement techniques depending on its environment. Instead of exploiting the vulnerable, it can switch to brute-forcing credentials or even install a key logger to capture credentials. Autonomous malware will then select the most successful for the target to use this method to traverse

Eliminate command-and-control (C&C) channel

Malware could be equipped with intelligent automation and preliminary logical process to automatically navigate a compromised network, select the desired target types, and push data to the malware owner. Being able to make decisions automatically helps malware remove C&C channels in spreading and accomplishing goals. Thus, the attacks will become stealthier and more menacing.

Execute machine-speed

AI could perform analytical functions similar to humans – but at machine speed. Therefore, it could be used in malicious software for exploiting software vulnerabilities on a mass level, for example, an automated attack of thousands of machines per hour.

Targeted and customized attacks

In another scenario, the malware authors can add the capacity to make smarter decisions into malware to maximize their profits. As a result, malware can automatically choose which payload will bring the most benefit based on the environment and the infected machine. For example, the malware can learn whether it infects the computer of a significant person in the company base on the communication of this person. On this person’s computer, stealing sensitive information or locking the document for ransom will make more profit. Conversely, installing a crypto-miner may be better if the malicious software recognizes it infected a server.

Furthermore, the malware’s AI can observe and learn normal user behavior patterns in localhost email and chat traffic for reconnaissance. Then, it can mimic the tone and style of this user to automate the composition of an email and send it to other employees to prompt them to access malicious content. That would be much moreeffective and convincing than classic social-engineering effort.

Cross-platform malware

Another aspect that needs to be considered is the development of cross-platform autonomous malware that can operate on multiplatform [28]. This type of malware carries a variety of exploit and payload tools that can operate across different environments. Based on its assessment of the target environment (including the platform information), the malware selects, assembles, and executes an attack against its target. The aim of this type of malware is that it can trigger contagion across multiple platforms so that making detection and resolution more difficult.


The fight between malware and anti-malware is an endless war. Both sides try to adopt advanced techniques to increase the power to overcome the other. To be ready for the era of malware strengthened by AI, it is crucial to equip the knowledge to find effective measures to prevent it.