Threat actors can potentially exploit ChatGPT to generate convincing phishing emails or deceptive content encouraging users to download malware.
They may also use the model to obfuscate malicious code or to assist in social engineering attacks, making it more challenging for security systems to detect and prevent illicit activities.
Cybersecurity researchers at SentinelLabs recently identified ChatGPT-powered malware actively attacking cloud platforms to steal login credentials. The ChatGPT-powered malware is an infostealer that is dubbed “Predator AI.”
Technical Analysis
Predator AI is promoted in hacking Telegram channels for web app attacks. It targets CMS and cloud email like AWS SES, along with AlienFox and Legion tools, sharing code with the following modules:-
Predator is actively updated, and in September 2023, a user requested a Twilio account checker to the developers, which was delivered in 2 weeks.
In October, a new version with Twilio features surfaced. The script starts with a copyright notice and an educational use disclaimer. Besides this, Predator infostealer is a Python application that has more than 11,000 lines.
There are 13 global classes defined in this script, and here below we have mentioned those classes:-
- Predator
- Settings
- Utility
- PumperSettings
- FakeErrorBuilder
- StealerBuilder
- Translator
- NetGun
- CTkMessagebox
- CTkListbox
- ThemeMaker
- GPTj
- NetXplorer
Cloud Platforms Attacked
Hackers can exploit this script to target the following cloud platforms:
- Drupal
- Joomla
- Laravel
- Magento
- OpenCart
- osCommerce
- PrestaShop
- vBulletin
- WordPress
GPTj’s ‘Predator AI’ chat interface reduces API use by solving locally first. It recognizes over 100 web and cloud hacking cases, handles data internally, and uses third-party services.
Moreover, it deals with AWS SES, Twilio, IP, and phone number data, only querying ChatGPT when needed. Here below we have mentioned all the driving functions defined inside the GPTj Class:-
- generate_text
- Ai_Backend
- aiRes
- ChatEvent
Recommendations
Predator AI’s discovery marks an anticipated shift in hacking tools. With the rise of AI, security pros have wondered about AI’s role in threat actor operations.
Some past projects like BlackMamba fell short of the hype, while Predator AI is a modest advancement, actively integrating AI into tools.
Predator AI’s integration offers a limited attacker advantage, and not only that, it’s unadvertised, potentially unstable, and costly.
As recommendations, cybersecurity analysts at SntinelLabs urged:-
- ge:sure to secure systems with all the latest available security updates.
- Always keep limited internet access.
- Ensure proper implementation of CSPM(Cloud security posture management).
- Monitor for anomalous behaviors.
Indicators of Compromise
SHA-1 Hash
- 88d40f86eefee5112515b73cce2d2badb7f49ffd – main.py Predator Python script
Hardcoded Strings
- “jSDSgnditikunggobloktolol” – hardcoded AWS account name string
- “titid” – hardcoded username in AWS GPT functionality
- “Adminn” – hardcoded username in AWS GPT functionality
- “Predator123” – hardcoded password from the Settings class
- “admainkontolpaslodsajijsd21334#1ejeg2shehhe” – hardcoded password for ‘Kontolz’ user account
- arn:aws:iam::320406895696:user/Kontolz – example ARN for Kontolz user
Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.
Also Read:
Hackers Using ChatGPT to Generate Malware & Social Engineering Threats
OpenAI Released ChatGPT Enterprise With SOC 2 Compliant & Data Encryption