After WormGPT and FraudGPT, DarkBERT and DarkBART are on the Horizon
Reports last month of the WormGPT and FraudGPT AI chatbots were the latest examples of bad actors leveraging the accelerated work being done in the generative AI field with applications like ChatGPT to create malicious tools that become available on the dark web.
According to cybersecurity firm SlashNext, the creator of WormGPT–and possibly of FraudGPT–is busy at work creating the next versions that will have advanced features like internet access and integration with Google Lens, the IT giant’s image recognition technology. The chatbots’ developers will likely also soon offer API access, SlashNext wrote in a report today.
The rise of these malicious chatbots–DarkBART and DarkBERT–underscores the effort by threat actors to evolve the AI capabilities of their tools to launch business email compromise (BEC) and other attacks.
“While it’s difficult to accurately gauge the true impact of these capabilities, it’s reasonable to expect that they will lower the barriers for aspiring cybercriminals,” Daniel Kelley, the reformed black hat hacker who helped SlashNext expose WormGPT in mid-June, wrote in the report. “Moreover, the rapid progression from WormGPT to FraudGPT and now ‘DarkBERT’ in under a month underscores the significant influence of malicious AI on the cybersecurity and cybercrime landscape.”
Looking into FraudGPT, which was reported in late July by cybersecurity firm Netenrich, Kelley said the tool was promoted by someone with the online handle “CanadianKingpin12” and targeted at fraudsters, hackers and spammers.
CanadianKingpin12 initially tried to sell FraudGPT on smaller cybercrime forums on the general internet, but after running into roadblocks, shifted to pushing it on Telegram, the encrypted service often used by cybercriminals, Kelley wrote. As Netenrich noted, the tool is being offered to bad actors on a subscription basis and includes a range of features, from writing malicious code and building hard-to-detect malware to creating hacker tools and phishing pages for launching BEC attacks, finding leaks and vulnerabilities and learning to code and hack.
Going to the Source
Kelley contacted CanadianKingpin12 and posed as a potential buyer to get more information about FraudGPT and how it stacked up against WormGPT (FraudGPT was significantly better, he was told). Kelley noted that the chatbots shared “foundational similarities,” adding that “while [CanadianKingpin12] didn’t explicitly admit to being responsible for both, it does seem like a plausible scenario because, throughout our communication, it became clear that they could facilitate the sale of both products.”
It was during the conversation that CanadianKingpin12 brought up DarkBART and DarkBERT, he wrote, noting that the integration with Google Lens meant the chatbots will be able to send images along with text.
Some Discrepancies
That said, there was some confusion about what CanadianKingpin12 was saying. According to Kelley, the chatbot developer first said they were developing a bot named DarkBERT, but then later said they already had access to it. Kelley wrote that it seemed likely that CanadianKingpin12 used a language model called DarkBERT for malicious purposes.
DarkBERT is a language model developed earlier by data intelligence company S2W Security that was trained on data from the dark web with the goal of pushing back against cybercrime rather than enabling it. However, a video shown to Kelley by CanadianKingpin12 talked about DarkBERT as a chatbot used for malicious purposes.
“This discrepancy raises concerns behind the use of ‘DarkBERT’ in this context and suggested that ‘CanadianKingpin12’ may be exploiting S2W’s version of ‘DarkBERT’ while misleadingly presenting it as their own creation,” he wrote.
That raises the question of how the hacker was able to access the language model. S2W researchers are making it available to academics who are able to prove their bona fides by submitting a request that includes the user’s name and institution and an email address for the user that matches the institution.
Getting such an email address wouldn’t be difficult, Kelley wrote. Getting one from a dark web forum would cost $3.00 or so.
A Menu of Threats
He also said CanadianKingpin12 told him that DarkBERT would be able to help hackers who buy it to run advanced social engineering attacks, exploit vulnerabilities in systems–including those in critical infrastructures–create and distribute ransomware and other malware and run phishing campaigns.
They also will be able to provide information about zero-day vulnerabilities.
The eventual addition of API access also is a problem, Kelley wrote, because it will “greatly simplify the process of integrating these tools into cybercriminals’ workflows and code. Such progress raises significant concerns about potential consequences, as the use cases for this type of technology will likely become increasingly intricate.”
