Researchers Use ChatGPT AI-Powered Malware to Evade Endpoint Detection and Response Filters

ChatGPT is big news these days, and for good reasons. It’s the fastest-growing consumer application in history, according to a UBS study, acquiring 100 million monthly users just two months after launching. While it can potentially change our world for the better, it’s already become a tool of choice for cybercriminals.

A Bleeping Computer article attributes security researcher Dominic Alvieri as among the first to notice the domain chat-gpt-pc.online. The domain was promoted by a Facebook page featuring official ChatGPT logos and it infects visitors with Redline information-stealing malware disguised as a download for a ChatGPT Windows desktop client. The article notes that Alvieri also saw fake ChatGPT apps promoted on Google Play and other Android app stores.

That’s pretty scary. But it gets worse. Traditional security solutions like endpoint detection and response (EDR) rely on multilayer data intelligence systems and automated controls to defend against sophisticated threats today.

Last week, Jeff Sims, a researcher at cybersecurity firm HYAS Labs, posted how his firm was able to generate polymorphic malware courtesy of ChatGPT. HYAS makes a key point: “While EDR and other automated security controls are essential components of a modern security stack, they are not foolproof.” This point is underscored by the simple proof of concept (PoC) Sims built to demonstrate what AI-based malware could do.

BlackMamba: Exploiting APIs

Sims' PoC leveraged a large language model—AI software ChatGPT—which uses natural language processing, deep learning, and neural networks to dynamically synthesize polymorphic keylogger functionality. Put more simply, as TechTarget defines it, polymorphic malware uses an encryption key to change its shape and signature, while a keylogger records every stroke of the infected machine's keyboard. It combines a mutation engine with self-propagating code to change its appearance continuously and rapidly morph its code. The result modifies benign code at runtime without running into any command-and-control infrastructure that could stop this malicious threat.

HYAS tested the PoC against an unnamed industry-leading EDR many times. There were zero alerts or detections. HYAS named the PoC “BlackMamba” to convey the seriousness of the threat because this ever-changing malware can evade your EDR defenses.

An executable file was used to deliver the malware. Sims explains that once a device is infected, the PoC employed Microsoft Teams to exfiltrate data, sending it from the compromised system to an external location. HYAS relied on a hacker-controlled Teams channel via webhook, a lightweight API that powers one-way data sharing triggered by events.

The post digs into the technical details of the development and malware delivery process and is worth reading. But the closing paragraph brings it home, stating that “BlackMamba is virtually undetectable by today’s predictive security solutions.”

Immutable Storage: Your Last Line of Defense

While cybersecurity firms work toward a solution, it’s clear that these ChatGPT-driven threats will only become more sophisticated and evasive. That puts your precious data at even greater risk. Immutable backups may be your best bet for ensuring your data can always be recovered, even if your systems are compromised.

Immutable backups are saved in a write-once-read-many-times format that can’t be modified, deleted, or encrypted. To this point, hackers haven’t found a way around immutability, and we believe it’s unlikely they will in the foreseeable future.

Employ a Multilayered Approach to Data Resilience

While some hackers go after your people via phishing and other social engineering attacks, plenty of others are testing new ways to use AI to get around your defenses. Fighting back demands constant awareness of changing threats and new defensive strategies.

That’s where Arcserve technology partners make all the difference in the world. They bring expertise, experience, and a dedicated commitment to keeping your data resilient and your business secure. Choose an Arcserve partner here. And be sure to check out on-demand demos.