HYAS researchers recently developed proof-of-concept (PoC) malware that leverages AI both to eliminate the need for command and control (C2) infrastructure and to generate new malware on the fly in order to evade detection algorithms.<\/p>\n\n\n\n
The malware, dubbed “BlackMamba,” is the latest example of exploits that can evade even the most sophisticated cybersecurity products. While the HYAS researchers may have been wearing white hats, Mandiant researchers this week reported<\/a> on a “suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades.”<\/p>\n\n\n\n In December, SafeBreach Labs researcher Or Yair discovered zero-day vulnerabilities<\/a> in several EDR and antivirus tools, while in October, the BlackByte ransomware group was found to be actively exploiting a known driver vulnerability<\/a> to bypass EDR protections.<\/p>\n\n\n\n See the top <\/em>EDR<\/em><\/a> and <\/em>antivirus<\/em><\/a> products<\/em><\/p>\n\n\n\n The BlackMamba PoC will likely heighten concerns that AI tools can be used by cybercriminals to create new exploits.<\/p>\n\n\n\n “BlackMamba utilizes a benign executable that reaches out to a high-reputation API (OpenAI) at runtime, so it can return synthesized, malicious code needed to steal an infected user’s keystrokes,” HYAS principal security engineer Jeff Sims wrote in a blog post<\/a> detailing the threat.<\/p>\n\n\n\n “It then executes the dynamically generated code within the context of the benign program using Python’s exec() function, with the malicious polymorphic portion remaining totally in-memory,” Sims added. “Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic.”<\/p>\n\n\n\n The keylogger collects sensitive information, including usernames, passwords and credit card numbers, then uses Microsoft Teams to exfiltrate the data, sending it to an attacker-controlled Teams channel.<\/p>\n\n\n\n The researchers say they tested the malware against an industry-leading EDR solution, which they were kind not to name, and it repeatedly failed to detect the threat.<\/p>\n\n\n\n Also read: Latest MITRE Endpoint Security Results Show Some Familiar Names on Top<\/a><\/p>\n\n\n\n “The threats posed by this new breed of malware are very real,” Sims warned. “By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today’s predictive security solutions.”<\/p>\n\n\n\n BlackMamba serves as a vivid proof of concept for CyberArk’s warning earlier this year<\/a> that OpenAI’s ChatGPT tool could be leveraged to create polymorphic malware that’s extremely difficult to detect.<\/p>\n\n\n\nLeveraging OpenAI<\/h2>\n\n\n\n
A New Breed of Threat<\/h2>\n\n\n\n