"Security Experts Develop Method of Generating 'Highly Evasive' Polymorphic Malware Using ChatGPT"
Security researchers at CyberArk Labs have demonstrated the use of ChatGPT to develop polymorphic malware that can go undetected by most anti-malware products. It took the researchers weeks to produce a proof-of-concept (POC) for the highly evasive malware, but they eventually created a method to execute payloads on a victim's computer using text prompts. The researchers tested their method on Windows and concluded that a malware package, including a Python interpreter, could be developed and designed to periodically query ChatGPT for new modules. These modules can contain text-based code that defines the malware's capabilities, such as code injection, file encryption, or persistence. The malware package would then be responsible for determining whether or not the code operates as expected on the target system. The researchers stated that this could be accomplished via communication between the malware and a command-and-control (C2) server. For example, in a use case involving a file decryption module, functionality would be derived from a text-based ChatGPT query, and the malware would then generate a test file for the C2 server to validate. If the validation was successful, the malware would be instructed to run the code and encrypt the files. If validation was unsuccessful, the process would be repeated until a working encryption code is generated and validated. The malware would use the compile functionality of the built-in Python interpreter to turn the payload code string into a code object that could subsequently be run on the victim's computer. Since the malware detects incoming payloads in the form of text, as opposed to binaries, researchers say the malware does not include suspicious logic while in memory, allowing it to bypass most of the security systems it was tested against. This article continues to discuss the method developed by researchers at CyberArk Labs to generate malware using text that goes largely undetected by signature-based anti-malware products.