In November 2022, OpenAI released ChatGPT, a new interface for its Large Language Model (LLM), which generated significant interest in the potential uses of AI. However, ChatGPT also added complexity to the modern cyber threat landscape as it became apparent that code generation could assist less-skilled threat actors in launching cyberattacks.
Check Point Research (CPR) previously described how ChatGPT could successfully conduct a full infection flow, from creating a convincing spear-phishing email to running a reverse shell, capable of accepting commands in English. The question remains whether this is a hypothetical threat or if threat actors are already using OpenAI technologies for malicious purposes.
CPR’s analysis of several major underground hacking communities revealed that there are already instances of cybercriminals using OpenAI to develop malicious tools. As suspected, some cases clearly showed that many cybercriminals using OpenAI have no development skills. Although the tools presented in the report are basic, it is only a matter of time before more sophisticated threat actors enhance their use of AI-based tools for malicious purposes.
On December 29, 2022, a thread titled “ChatGPT – Benefits of Malware” appeared on a widely-used underground hacking forum. The person who posted the thread revealed that they were experimenting with ChatGPT to recreate malware strains and techniques discussed in research publications and write-ups about typical malware. To demonstrate this, they shared the code for a Python-based stealer that searches for common file types, copies them to a randomly chosen folder within the Temp folder, compresses them into a ZIP file, and uploads them to a pre-determined FTP server.
CRP’s examination of the script confirms the claims made by the cybercriminal. The script is indeed a basic stealer that searches for 12 common file types (such as MS Office documents, PDFs, and images) across the system. If any relevant files are found, the malware copies them to a temporary directory, compresses them into a ZIP file, and sends them over the internet. It is worth noting that the actor did not bother to encrypt or securely send the files, so they may be obtained by third parties.
The second sample created by this actor using ChatGPT is a simple Java snippet. It downloads PuTTY, a widely-used SSH and telnet client, and covertly runs it on the system using Powershell. This script can be modified to download and run any program, including common malware families.
This threat actor has previously shared several scripts for automating the post-exploitation phase, and a C++ program that attempts to phish for user credentials. Additionally, they actively share cracked versions of SpyNote, an Android RAT malware. Overall, this individual seems to be a tech-savvy threat actor, and the purpose of their posts is to show less technically capable cybercriminals how to utilize ChatGPT for malicious purposes, with real examples they can immediately use.
It remains uncertain whether ChatGPT capabilities will become a popular tool among individuals on the Dark Web. However, the cybercriminal community has already shown significant interest and has begun experimenting with this latest trend of generating malicious code. CPR plans to continue monitoring this activity throughout the year 2023.