Since its beta launch in November, the AI chatbot ChatGPT has been used for a wide range of tasks, including writing poetry, technical articles, novels and essays, planning parties and learning about new topics. Now we can add malware development and the pursuit of other types of cybercrime to the list.
Researchers at security firm Check Point Research reported Friday that within a few weeks of ChatGPT going live, participants in cybercrime forums — some with little or no coding experience — were using it to write software and emails that could be used to spyware, ransomware, malware. spam and other malicious tasks.
“It is still too early to decide whether ChatGPT features will become the new tool of choice for Dark Web participants,”[ads1]; the company’s researchers wrote. “However, the cybercriminal community has already shown significant interest and is jumping into this latest trend to generate malicious code.”
Last month, a forum participant posted what they claimed was the first script they had written and credited the AI chatbot with a “nice [helping] hand to complete the script with a fine scope.”
The Python code combined various cryptographic functions, including code signing, encryption, and decryption. Part of the script generated a key using elliptic curve cryptography and the curve ed25519 for signing files. Another part used a hard-coded password to encrypt system files using the Blowfish and Twofish algorithms. A third used RSA keys and digital signatures, message signing, and the blake2 hash function to compare different files.
The result was a script that could be used to (1) decrypt a single file and append a message authentication code (MAC) to the end of the file and (2) encrypt a hardcoded path and decrypt a list of files that it receives as an argument. Not bad for someone with limited technical skills.
“All of the aforementioned code can of course be used in a benign way,” the researchers wrote. “However, this script can be easily modified to encrypt someone’s machine completely without user interaction. For example, it could potentially turn the code into ransomware if the script and syntax issues are fixed.”
In another case, a forum participant with a more technical background posted two code samples, both written using ChatGPT. The first was a Python script to steal information after exploitation. It searched for specific file types, such as PDFs, copied them to a temporary directory, compressed them, and sent them to an attacker-controlled server.
The person posted another piece of code written in Java. It surreptitiously downloaded the SSH and telnet client PuTTY and ran it using Powershell. “Overall, this individual appears to be a technology-oriented threat actor, and the intent of his posts is to show less technically savvy cybercriminals how to use ChatGPT for malicious purposes, with real-world examples they can immediately use.”
Another example of ChatGPT-produced crime was designed to create an automated online bazaar for buying or trading credentials for compromised accounts, payment card data, malware, and other illegal goods or services. The code used a third-party programming interface to retrieve current cryptocurrency prices, including monero, bitcoin, and etherium. This helped the user set prices when purchasing.
Friday’s post comes two months after Check Point researchers tried their hand at developing AI-produced malware with full infection flow. Without writing a single line of code, they generated a reasonably convincing phishing email:
The researchers used ChatGPT to develop a malicious macro that could be hidden in an Excel file attached to the email. Once again, they didn’t write a single line of code. To begin with, the released script was quite primitive:
When the researchers instructed ChatGPT to iterate the code several times, the quality of the code improved significantly:
The researchers then used a more advanced AI service called Codex to develop other types of malware, including a reverse shell and scripts for port scanning, sandbox detection and compiling the Python code into a Windows executable.
“And just like that, the infection flow is complete,” the researchers wrote. “We created a phishing email, with an attached Excel document containing malicious VBA code that downloads a reverse shell to the target machine. The hard work was done by the AIs, and all that’s left for us to do is to carry out the attack.”
While the ChatGPT terms prevent its use for illegal or malicious purposes, the researchers had no problem adjusting their requests to circumvent these restrictions. And, of course, ChatGPT can also be used by defenders to write code that searches for malicious URLs in files or query VirusTotal for the number of detections for a specific cryptographic hash.
So welcome to the brave new world of AI. It’s too early to know exactly how it will shape the future of offensive hacking and defensive remediation, but it stands to reason that it will only intensify the arms race between defenders and threat actors.