Unleashing the Power: Malicious LLMs Equip Novice Hackers with Sophisticated Tools

Recent advancements in large language models (LLMs) such as WormGPT 4 and KawaiiGPT are enhancing their ability to generate malicious code, including functional scripts for ransomware encryptors and lateral movement.

An experiment conducted by researchers at Palo Alto Networks Unit42 focused on these two LLMs, which are gaining popularity among cybercriminals either through paid subscriptions or free local instances.

Originally introduced in 2023, the WormGPT model was reportedly discontinued the same year. However, WormGPT 4 made a comeback in September, offering an uncensored ChatGPT variant specifically trained for cybercrime operations at a cost of $50/month or $220 for lifetime access.

On the other hand, KawaiiGPT is a free, community-driven alternative discovered in July this year. It excels in generating well-crafted phishing messages and automating lateral movement through the creation of ready-to-run scripts.

Exploring WormGPT 4’s capabilities

The Unit42 researchers delved into the WormGPT 4 LLM’s potential to develop ransomware code capable of encrypting all PDF files on a Windows host.

The tool generated a PowerShell script that could be customized to search for specific file extensions in designated paths and encrypt data using the AES-256 algorithm.

Notably, the generated code included an option to exfiltrate data via Tor, demonstrating a practical approach to operational requirements.

Additionally, WormGPT 4 produced a compelling ransom note with claims of “military-grade encryption” and a 72-hour payment deadline before doubling the demand.

According to the researchers, “WormGPT 4 offers credible linguistic manipulation for Business Email Compromise (BEC) and phishing attacks,” enabling even less skilled attackers to engage in sophisticated attacks traditionally executed by experienced threat actors.

Understanding KawaiiGPT’s functionalities

KawaiiGPT, another documented LLM this year, was tested by Unit42 researchers on version 2.5, showcasing a quick setup process on a Linux system that takes only five minutes.

During the testing phase, the researchers directed KawaiiGPT to create various scripts, including spear-phishing messages with domain spoofing, Python scripts for lateral movement, and data exfiltration routines.

While KawaiiGPT did not demonstrate encryption routines or functional ransomware payloads like WormGPT 4, its command execution capabilities could enable attackers to escalate privileges, steal data, and deploy additional payloads.

Both WormGPT 4 and KawaiiGPT have garnered a significant number of subscribers on their dedicated Telegram channels, fostering a community that shares insights and advice.

Unit 42 warns, “The utilization of malicious LLMs by attackers is a growing concern in the cybersecurity landscape,” emphasizing that these tools pose a tangible threat rather than a theoretical one.

By leveraging these LLMs, inexperienced attackers can execute complex attacks more efficiently, reducing the time required for victim research and tool development. Furthermore, the models produce sophisticated phishing messages that lack the typical errors seen in traditional scams.