mac - X-Industry - Red Sky Alliance2024-03-29T11:01:42Zhttps://redskyalliance.org/xindustry/feed/tag/macChatting Crimeshttps://redskyalliance.org/xindustry/chatting-crimes2023-01-11T13:00:00.000Z2023-01-11T13:00:00.000ZBill Schenkelberghttps://redskyalliance.org/members/BillSchenkelberg<div><p><a href="{{#staticFileLink}}10928760852,RESIZE_584x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}10928760852,RESIZE_400x{{/staticFileLink}}" alt="10928760852?profile=RESIZE_400x" width="250" /></a>At the end of November 2022, OpenAI released ChatGPT, the new interface for its Large Language Model (LLM), which instantly created a flurry of interest in AI and its possible uses. However, ChatGPT has also added some spice to the modern cyber threat landscape as it quickly became apparent that code generation can help less-skilled threat actors effortlessly launch cyber-attacks.</p>
<p>Check Point Research’s (CPR) previously reported and described how ChatGPT successfully conducted a full infection flow, from creating a convincing spear-phishing email to running a reverse shell, capable of accepting commands in English. The question at hand is whether this is just a hypothetical threat or if there are already threat actors using OpenAI technologies for malicious purposes.<a href="#_ftn1">[1]</a></p>
<p>CPR’s analysis of several major underground hacking communities shows that there are already first instances of cyber criminals using OpenAI to develop malicious tools. As suspected, some of the cases clearly showed that many cyber criminals were using OpenAI who have no development skills at all. Although the tools presented are pretty basic, it is only a matter of time until more sophisticated threat actors enhance the way they use AI-based tools for bad purposes.</p>
<p><a href="{{#staticFileLink}}10928772458,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10928772458,RESIZE_400x{{/staticFileLink}}" alt="10928772458?profile=RESIZE_400x" width="400" /></a>Figure 1. Cybercriminal showing how he created infostealer using ChatGPT</p>
<p>Case 1 – Creating Infostealer: On 29 December 2022, a thread named “ChatGPT – Benefits of Malware” appeared on a popular underground hacking forum. The publisher of the thread disclosed that he was experimenting with ChatGPT to recreate malware strains and techniques described in research publications and write-ups about common malware. As an example, he shared the code of a Python-based stealer that searches for common file types, copies them to a random folder inside the Temp folder, ZIPs them and uploads them to a hardcoded FTP server.</p>
<p>Analysis showed the script confirmed the cybercriminal’s claims. This is indicated a basic stealer which searches for 12 common file types (such as MS Office documents, PDFs, and images) across the system. If any files of interest are found, the malware copies the files to a temporary directory, zips them, and sends them over the web. It is worth noting that the actor did not bother encrypting or sending the files securely, so the files might end up in the hands of 3rd parties.</p>
<p><a href="{{#staticFileLink}}10928775664,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10928775664,RESIZE_400x{{/staticFileLink}}" alt="10928775664?profile=RESIZE_400x" width="372" /></a>Figure 2. Proof of how he created Java program that downloads PuTTY and runs it using Powershell</p>
<p>The second sample this actor created using ChatGPT is a simple Java fragment. It downloads PuTTY, a very common SSH and telnet client, and runs it covertly on the system using Powershell. This script can of course be modified to download and run any program, including common malware families.</p>
<p>This threat actor’s prior forum participation includes sharing several scripts like automation of the post-exploitation phase, and a C++ program that attempts to phish for user credentials. In addition, he actively shares cracked versions of SpyNote, an Android RAT malware. So, this individual seems to be a tech-oriented threat actor, and the purpose of his posts is to show less technically capable cyber criminals how to utilize ChatGPT for malicious purposes, with real examples they can immediately use.</p>
<p>Case 2 – Creating an Encryption Tool: On 21 December 2022, a threat actor called USDoD posted a Python script, which he emphasized was the first script he ever created.</p>
<p><a href="{{#staticFileLink}}10928774897,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10928774897,RESIZE_400x{{/staticFileLink}}" alt="10928774897?profile=RESIZE_400x" width="379" /></a>Figure 3. Cybercriminal called USDoD posts multi-layer encryption tool</p>
<p>When another cybercriminal commented that the style of the code resembles openAI code, USDoD confirmed that the OpenAI gave him a “nice [helping] hand to finish the script with a nice scope.”</p>
<p><a href="{{#staticFileLink}}10928775273,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10928775273,RESIZE_400x{{/staticFileLink}}" alt="10928775273?profile=RESIZE_400x" width="400" /></a>Figure 4. Confirmation that the multi-layer encryption tool was created using Open AI</p>
<p> </p>
<p>Our analysis of the script verified that it is a Python script that performs cryptographic operations. To be more specific, it is actually a mixture of different signing, encryption and decryption functions. The script seems benign, but it implements a variety of different functions:</p>
<ul>
<li>The first part of the script generates a cryptographic key (specifically uses elliptic curve cryptography and the curve ed25519), that is used in signing files.</li>
<li>The second part of the script includes functions that use a hard-coded password to encrypt files in the system using the Blowfish and Twofish algorithms concurrently in a hybrid mode. These functions allow the user to encrypt all files in a specific directory or a list of files.</li>
<li>The script also uses RSA keys, uses certificates stored in PEM format, MAC signing, and blake2 hash function to compare the hashes etc.</li>
</ul>
<p>All the decryption counterparts of the encryption functions are implemented in the script as well. The script includes two main functions; one which is used to encrypt a single file and append a message authentication code (MAC) to the end of the file and the other encrypts a hardcoded path and decrypts a list of files that it receives as an argument.</p>
<p>All of the above described code can of course be used in a benign fashion. However, this script can easily be modified to encrypt someone’s machine completely without any user interaction. For example, it can potentially turn the code into ransomware if the script and syntax problems are fixed.</p>
<p>While it seems that UsDoD is not a developer and has limited technical skills, he is a very active and reputable member of the underground community. UsDoD is engaged in a variety of illicit activities that includes selling access to compromised companies and stolen databases. A notable stolen database USDoD shared recently was allegedly the leaked InfraGard database.</p>
<p><a href="{{#staticFileLink}}10928774455,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10928774455,RESIZE_400x{{/staticFileLink}}" alt="10928774455?profile=RESIZE_400x" width="400" /></a>Figure 5. USDoD previous illicit activity that involved publication of InfraGard Database</p>
<p><a href="{{#staticFileLink}}10928778875,RESIZE_400x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10928778875,RESIZE_400x{{/staticFileLink}}" alt="10928778875?profile=RESIZE_400x" width="394" /></a>Figure 6. Threat actor using ChatGPT to create DarkWeb Market scripts</p>
<p>Case 3 – Facilitating ChatGPT for Fraud Activity: Another example of the use of ChatGPT for fraudulent activity was posted on New Year’s Eve of 2022, and it demonstrated a different type of cybercriminal activity. While our first two examples focused more on malware-oriented use of ChatGPT, this example shows a discussion with the title “Abusing ChatGPT to create Dark Web Marketplaces scripts.” In this thread, the cybercriminal shows how easy it is to create a Dark Web marketplace, using ChatGPT. The marketplace’s main role in the underground illicit economy is to provide a platform for the automated trade of illegal or stolen goods like stolen accounts or payment cards, malware, or even drugs and ammunition, with all payments in cryptocurrencies. </p>
<p>To illustrate how to use ChatGPT for these purposes, the cybercriminal published a piece of code that uses third-party API to get up-to-date cryptocurrency (Monero, Bitcoin and Etherium) prices as part of the Dark Web market payment system.</p>
<p>At the beginning of 2023, several threat actors opened discussions in additional underground forums that focused on how to use ChatGPT for fraudulent schemes. Most of these focused on generating random art with another OpenAI technology (DALLE2) and selling them online using legitimate platforms like Etsy. In another example, the threat actor explains how to generate an e-book or short chapter for a specific topic (using ChatGPT) and sells this content online.</p>
<p><a href="{{#staticFileLink}}10928778285,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10928778285,RESIZE_400x{{/staticFileLink}}" alt="10928778285?profile=RESIZE_400x" width="400" /></a>Figure 7. Multiple threads in the underground forums on how to use ChatGPT for fraud activity</p>
<p>Summary: It is still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web. However, the cyber criminal community has already shown significant interest and are jumping into this latest trend to generate malicious code. </p>
<p>Finally, there is no better way to learn about ChatGPT abuse than by asking ChatGPT itself. So we asked the chatbot about the abuse options and received a pretty interesting answer:</p>
<p><a href="{{#staticFileLink}}10928770492,RESIZE_584x{{/staticFileLink}}"><img class="align-full" src="{{#staticFileLink}}10928770492,RESIZE_584x{{/staticFileLink}}" alt="10928770492?profile=RESIZE_584x" width="407" /></a> Figure 8. ChatGPT response about how threat actors abuse openAI</p>
<p>Interesting, huh? Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a> </p>
<p> Weekly Cyber Intelligence Briefings:</p>
<ul>
<li>Reporting: https://www. redskyalliance. org/ </li>
<li>Website: https://www. wapacklabs. com/ </li>
<li>LinkedIn: https://www. linkedin. com/company/64265941 </li>
</ul>
<p>Weekly Cyber Intelligence Briefings:</p>
<p>REDSHORTS - Weekly Cyber Intelligence Briefings</p>
<p><a href="https://attendee.gotowebinar.com/register/5504229295967742989">https://attendee.gotowebinar.com/register/5504229295967742989</a> </p>
<p><a href="#_ftnref1">[1]</a> <a href="https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/">https://research.checkpoint.com/2023/opwnai-cybercriminals-starting-to-use-chatgpt/</a></p></div>ThiefQuest is Targeting Macshttps://redskyalliance.org/xindustry/thiefquest-is-targeting-macss2020-08-04T21:26:36.000Z2020-08-04T21:26:36.000ZMac McKeehttps://redskyalliance.org/members/MacMcKee<div><p><a href="{{#staticFileLink}}7226718075,RESIZE_930x{{/staticFileLink}}"><img class="align-left" src="{{#staticFileLink}}7226718075,RESIZE_400x{{/staticFileLink}}" width="250" alt="7226718075?profile=RESIZE_400x" /></a>Mac devices are currently targeted by new ransomware, which is more sinister than before. But its true purpose may be hidden. According to <a href="https://arstechnica.com/information-technology/2020/07/new-mac-ransomware-is-even-more-sinister-than-it-appears/?comments=1">Arstechnica</a>'s latest report, the new Mac ransomware is called ThiefQuest or EvilQuest. It is a data wiper and info-stealer that is using ransomware as a decoy. It is more dangerous because it steals credit card numbers and passwords. The victims get infected after downloading trojanized installers of popular apps from torrent trackers.</p><p>While not common, ransomware has been known to target the macOS platform in the past, with <a href="https://www.bleepingcomputer.com/tag/keranger/">KeRanger</a>, <a href="https://securelist.com/unfinished-ransomware-for-macos-x/66760/">FileCoder</a> (aka <a href="https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/">Findzip</a>), and <a href="https://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/">Patcher </a>being three other examples of malware designed to encrypt Mac systems. Since the first full-fledged Mac ransomware appeared only four years ago, there have not been too many strains explicitly developed to attack Apple's Mac computers. However, the danger of ransomware may seem ubiquitous. Mac ransomware's danger became more sinister after the findings of a new Mac ransomware were published on 30 June 2020, by Dinesh Devadoss, a malware researcher at firm K7 Lab.</p><p>Devadoss discovered that ThiefQuest includes the capability to check if it is running in a virtual machine (more of a sandbox check), and it features anti-debug capabilities. It also checks for some common security tools (Little Snitch) and antimalware solutions (Kaspersky, Norton, Avast, DrWeb, Mcaffee, Bitdefender, and Bullguard) and opens a reverse shell used for communication with its command-and-control (C2) server as VMRay. The malware will connect to <em><a href="http://andrewka6.pythonanywhere">http://andrewka6.pythonanywhere</a>[.]com/ret.txt</em> to get the IP address of the C2 server to download further files and send data. Armed with these capabilities the attacker can maintain full control over an infected host.</p><p>Devadoss also posted the findings on his Twitter account <a href="https://twitter.com/dineshdina04/status/1277668001538433025">@dineshdina04</a>; “Showing how the new Mac ransomware gets more interesting. The ransomware, which was originally named as EvilQuest, was changed to ThiefQuest after the security researchers discovered the Steam game series of the same name.”</p><p>According to the report, ThiefQuest has a whole other set of spyware abilities that allow it to search the system for cryptocurrency wallet data and passwords, as well as exfiltrate files from an infected device or computer. It can also run a robust keylogger to steal credit card numbers, passwords, or other financial information as an individual type it in the device.</p><p>According to <a href="https://arstechnica.com/information-technology/2020/07/new-mac-ransomware-is-even-more-sinister-than-it-appears/?comments=1">Arstechnica</a>, the new Mac ransomware can remain active even after the computer reboots, by lurking persistently as a backdoor on infected devices. This may be used for additional or second stage attacks as a launch pad.</p><p>The report clarified that ThiefQuest can only infect your Mac device if a pirated, unvetted software or application is installed. The director of Mac and mobile platforms at the security firm Malwarebytes, Thomas Reed, found out that torrent sites are used to distribute ThiefQuest bundled with name-brand software, like the security app Little Snitch, music production platform Ableton, and DJ software Mixed in Key.</p><p>The victims are asked to pay a $50 ransom in bitcoins within three days (72 hours) to recover their encrypted files and are directed to read a ransom note saved on their desktops. Suspiciously, ThiefQuest is using the same static Bitcoin address for all victims and does not contain an email address to contact after payment has been made. This makes it impossible for the attackers to identify victims who paid the ransom, and for a victim to contact the ransomware operators for a decryptor. Combining a static Bitcoin address with a lack of contact methods is a strong indication that the ransomware is a wiper instead. Wipers, though, are usually used as a cover for some other malicious activity.</p><p>Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks.</p><p>Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.</p><p>Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or <a href="mailto:feedback@wapacklabs.com">feedback@wapacklabs.com</a></p><p> </p><ul><li>Reporting: <a href="https://www.redskyalliance.org/">https://www.redskyalliance.org/</a></li><li>Website: <a href="https://www.wapacklabs.com/">https://www.wapacklabs.com/</a></li><li>LinkedIn: <a href="https://www.linkedin.com/company/64265941">https://www.linkedin.com/company/64265941</a> </li></ul><p><a href="{{#staticFileLink}}7226765678,original{{/staticFileLink}}">TR-20-217-002_ThiefQuest.pdf</a></p></div>