BlackMamba PoC Malware Uses AI to Avoid Detection

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

HYAS researchers recently developed proof-of-concept (PoC) malware that leverages AI both to eliminate the need for command and control (C2) infrastructure and to generate new malware on the fly in order to evade detection algorithms.

The malware, dubbed “BlackMamba,” is the latest example of exploits that can evade even the most sophisticated cybersecurity products. While the HYAS researchers may have been wearing white hats, Mandiant researchers this week reported on a “suspected Chinese campaign that involves maintaining long term persistence by running malware on an unpatched SonicWall Secure Mobile Access (SMA) appliance. The malware has functionality to steal user credentials, provide shell access, and persist through firmware upgrades.”

In December, SafeBreach Labs researcher Or Yair discovered zero-day vulnerabilities in several EDR and antivirus tools, while in October, the BlackByte ransomware group was found to be actively exploiting a known driver vulnerability to bypass EDR protections.

See the top EDR and antivirus products

Leveraging OpenAI

The BlackMamba PoC will likely heighten concerns that AI tools can be used by cybercriminals to create new exploits.

“BlackMamba utilizes a benign executable that reaches out to a high-reputation API (OpenAI) at runtime, so it can return synthesized, malicious code needed to steal an infected user’s keystrokes,” HYAS principal security engineer Jeff Sims wrote in a blog post detailing the threat.

“It then executes the dynamically generated code within the context of the benign program using Python’s exec() function, with the malicious polymorphic portion remaining totally in-memory,” Sims added. “Every time BlackMamba executes, it re-synthesizes its keylogging capability, making the malicious component of this malware truly polymorphic.”

The keylogger collects sensitive information, including usernames, passwords and credit card numbers, then uses Microsoft Teams to exfiltrate the data, sending it to an attacker-controlled Teams channel.

The researchers say they tested the malware against an industry-leading EDR solution, which they were kind not to name, and it repeatedly failed to detect the threat.

Also read: Latest MITRE Endpoint Security Results Show Some Familiar Names on Top

A New Breed of Threat

“The threats posed by this new breed of malware are very real,” Sims warned. “By eliminating C2 communication and generating new, unique code at runtime, malware like BlackMamba is virtually undetectable by today’s predictive security solutions.”

BlackMamba serves as a vivid proof of concept for CyberArk’s warning earlier this year that OpenAI’s ChatGPT tool could be leveraged to create polymorphic malware that’s extremely difficult to detect.

More recently, Check Point researchers warned that cybercriminals are actively bypassing ChatGPT’s content filters by creating (and selling access to) Telegram bots that leverage ChatGPT’s API, which lacks the anti-abuse measures of ChatGPT’s user interface.

“As a result, it allows malicious content creation, such as phishing emails and malware code, without the limitations or barriers that ChatGPT has set on their user interface,” the Check Point researchers added.

Read next:

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Jeff Goldman Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis