There was a lot of interest in the potential applications of AI when OpenAI released ChatGPT in November 2022 as a new interface for its Large Language Model (LLM). As code generation was discovered to be able to aid less experienced threat actors in launching cyberattacks, ChatGPT also added complexity to the current cyber threat landscape.
In a previous report, Check Point Research (CPR) explained how ChatGPT could successfully carry out a full infection flow, from creating a convincing spear-phishing email to operating a reverse shell that could take English commands.
The question remains whether this is a hypothetical threat or if threat actors are already using OpenAI technologies for malicious purposes.
CPR’s analysis of several major underground hacking communities revealed that there are already instances of cybercriminals using OpenAI to develop malicious tools. As suspected, some cases clearly showed that many cybercriminals using OpenAI have no development skills.
Although the tools presented in the report are basic, it is only a matter of time before more sophisticated threat actors enhance their use of AI-based tools for malicious purposes.
On December 29, 2022, a thread titled “ChatGPT – Benefits of Malware” appeared on a widely-used underground hacking forum. The person who posted the thread revealed that they were experimenting with ChatGPT to recreate malware strains and techniques discussed in research publications and write-ups about typical malware. To illustrate this, they provided the source code for a Python-based stealer that looks for common file types, copies them to a randomly selected folder inside the Temp folder, zips them up, and then uploads them to a pre-specified FTP server.
CRP’s examination of the script confirms the claims made by the cybercriminal. The script is indeed a basic stealer that searches for 12 common file types (such as MS Office documents, PDFs, and images) across the system.
If any relevant files are found, the malware copies them to a temporary directory, compresses them into a ZIP file, and sends them over the internet. It is worth noting that the actor did not bother to encrypt or securely send the files, so they may be obtained by third parties.
The second sample created by this actor using ChatGPT is a simple Java snippet. It downloads PuTTY, a widely-used SSH and telnet client, and covertly runs it on the system using Powershell. This script can be modified to download and run any program, including common malware families.
This threat actor has previously shared several scripts for automating the post-exploitation phase, and a C++ program that attempts to phish for user credentials. Additionally, they actively share cracked versions of SpyNote, an Android RAT malware. Overall, this individual seems to be a tech-savvy threat actor, and the purpose of their posts is to show less technically capable cybercriminals how to utilize ChatGPT for malicious purposes, with real examples they can immediately use.
It remains uncertain whether ChatGPT capabilities will become a popular tool among individuals on the Dark Web. However, the cybercriminal community has already shown significant interest and has begun experimenting with this latest trend of generating malicious code. CPR plans to continue monitoring this activity throughout the year 2023.