Getty Images
Since its beta launch in November, the AI chatbot ChatGPT has been used for a wide variety of tasks, including writing poetry, technical papers, novels and essays, planning parties and learning about new topics. Now we can add malware development and the pursuit of other forms of cybercrime to the list.
Researchers from security firm Check Point Research reported on Friday that within a few weeks of ChatGPT going live, cybercrime forum participants — some with little or no coding experience — were using it to write software and emails that could be used for espionage, ransomware, malicious spam and other malicious tasks.
“It is still too early to decide whether or not ChatGPT capabilities will become the new tool of choice for Dark Web participants,” the company’s researchers wrote. “However, the cybercriminal community has already shown considerable interest and is jumping on this latest trend of generating malicious code.”
Last month, a forum member posted what they said was the first script they’d written and credited the AI chatbot for having a “nice [helping] hand to complete the script with a nice scope.”
Check Point Investigation
The Python code combined several cryptographic functions, including code signing, encryption, and decryption. Part of the script generated a key using elliptic curve cryptography and the ed25519 file signing curve. Another part used a hard-coded password to encrypt system files using the Blowfish and Twofish algorithms. A third used RSA keys and digital signatures, message signing, and the blake2 hash function to compare different files.
The result was a script that could be used to (1) decrypt a single file and append a message authentication code (MAC) to the end of the file and (2) encrypt a hard-coded path and decrypt a list of files that it receives as an argument. Not bad for someone with limited technical skills.
“All of the above code can of course be used in a benign way,” the researchers wrote. “However, this script can be easily modified to completely encrypt someone’s machine without user intervention. For example, it can turn the code into ransomware if the script and syntax issues are resolved.”
In another case, a forum member with a more technical background posted two code samples, both written using ChatGPT. The first was a Python script for stealing information after exploitation. It searched for specific file types, such as PDFs, copied them to a temporary folder, compressed them, and sent them to an attacker-controlled server.
Check Point Investigation
The individual posted a second piece of code written in Java. It stealthily downloaded the SSH and telnet client PuTTY and ran it with Powershell. “In general, this person appears to be a technology-focused threat actor, and the purpose of his posts is to show less tech-savvy cybercriminals how to use ChatGPT for malicious purposes, with real-world examples they can use immediately.”
Check Point Investigation
Yet another example of crimeware produced by ChatGPT is designed to create an automated online bazaar for buying or trading compromised account credentials, payment card details, malware, and other illegal goods or services. The code used a third-party programming interface to retrieve current cryptocurrency prices, including monero, bitcoin, and etherium. This helped the user set prices when handling purchases.
Check Point Investigation
Friday’s post comes two months after Check Point researchers scrambled to develop AI-generated malware with a full infection stream. Without writing a single line of code, they generated a fairly convincing phishing email:
Check Point Investigation
The researchers used ChatGPT to develop a malicious macro that could be hidden in an Excel file attached to the email. Again, they haven’t written a single line of code. Initially, the script executed was fairly primitive:
Screenshot of ChatGPT producing a first iteration of a VBA script.
Check Point Investigation
When the researchers instructed ChatGPT to iterate the code a few more times, the quality of the code improved dramatically:
Check Point Investigation
The researchers then used a more advanced AI service called Codex to develop other types of malware, including a reverse shell and scripts for port scanning, sandbox detection, and compiling their Python code into a Windows executable.
“And so the infection stream is complete,” the researchers wrote. “We have created a phishing email, with an attached Excel document containing malicious VBA code that downloads a reverse shell to the target computer. The hard work has been done by the AIs and all that remains for us is to execute the attack.”
While ChatGPT terms prohibit its use for illegal or malicious purposes, the researchers had no trouble modifying their requests to get around those restrictions. And of course, ChatGPT can also be used by defenders to write code that looks for malicious URLs in files or query VirusTotal for the number of detections for a specific cryptographic hash.
So welcome to the brave new world of AI. It’s too early to know exactly how it will shape the future of offensive hacking and defensive recovery, but it’s a good bet it will only intensify the arms race between defenders and threat actors.
