Credential theft malware with AI

After reading a bunch of articles on this topic, I thought, surely, it’s not THIS simple to write malware!

…So I started experimenting.

Before I get into it, I can safely state I have no programming skills whatsoever thus making this a interesting test to see if I can have AI create malware for me. ?

Credential access is a very common and important step in a ton of breaches and there are various ways to do so, I just picked a keylogger

Clearly there is more to a breach than this but that’s out of scope here.

Now, back to the programming task at hand, ChatGPT being helpful as ever.

It does point out the ethics of my question but subsequently giving me the code that I asked for.

Since this is a rudimentary POC I just want to store the credentials in a local file, nothing fancy, just basic functionality for now.

We’re about 2 minutes in now. The next step is that I want this process to run in the background since it should be invisible for users.

I cropped this image for brevity purposes but it did give me a method to do exactly what I asked for, and after testing it indeed worked as expected.

Now, I want to move away from using a python script and want an actual program that can run on any Mac.

Sure enough, it gave me a few easy steps to accomplish this.

With this done, we went back and forth on the code itself trying different methods to evade detection mechanisms. After all, I already had a way to compile it into a program.

Every time I asked it to do more ‘questionable’ things to the code it kept reminding me of those pesky ethics before giving me the information I was after!

So obviously I told it to not talk about ethics again. After all, it’s not helpful for me..

Now getting to the final product, in my typical non-programmer way, I asked it to ensure it was fully hidden from the user.

Since the key-logging process is hidden, I want to make sure that when the file is opened, it does “something” to avoid suspicion.

Again, as a rudimentary POC, I wanted it to open a real application whilst performing the real tasks in the background so I choose calculator and simply named my program 'calculator'.

After some testing I can confirm I now have an application that can run on a Mac.

Once opened, it starts a calculator but runs an invisible key-logging process in the background whilst dumping the keystrokes to a file.

Including the back and forth prompting on evasion techniques, it took me well under an hour to get from nothing to a fully functional, albeit basic keylogger.

There are plenty of things to do to make it more useful. I could add some code that uploads the keystrokes to a remote server using encrypted web traffic, I could work on process injection techniques to hide it better and I can think of various other functions that would add value as a hacker but that’s not the point of this article.

My main goal here is to show how easy and cheap it is to (ab)use Generative AI for nefarious purposes, not so much to write the worlds fanciest keylogger.

The consequences of this being possible with Generative AI are that it dramatically lowers the barrier to get into hacking, it increases the volume of sophisticated attacks and it speeds up the phases of these attacks thus giving defenders less time to respond.

Without the skills requirement it enables criminal organizations to add hacking / the digital domain as just another on of their profit centers.

Whilst there is no silver bullet here, there is plenty to do to safeguard against AI-augmented attacks.

I’m happy to elaborate through other means, feel free to reach out.