CTI Roundup: ChatGPT-Powered Infostealer Targets Cloud Platforms

In this week’s roundup, CTI provides key takeaways from Google Cloud’s Threat Horizons report from the third quarter of 2023. Next CTI investigates North Korea’s BlueNoroff nation-state actor and its connection to a previously undocumented macOS malware called ObjCShellz. CTI also provides an overview of Predator AI, a new Python-based infostealer and hacktool that targets cloud services.

1. Google Cloud releases its Q3 Threat Horizons report

Google Cloud’s latest Threat Horizons report for the third quarter of 2023 is now available, offering cloud-specific research and recommendations from the company’s intelligence and security teams.

Of note, the report warns of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages the Google calendar service to host C2 infrastructure.

Threat actors target data on cloud-hosted SaaS

As organizations continue to adopt cloud-hosted SaaS, the attack surface for threat actors continues to expand. Over the last several months Google has seen threat actors leveraging a range of tactics to access and exfiltrate data from cloud-hosted SaaS systems. Google is also observing attacks where threat actors exploit more than one system at a time.

Abusing Google Calendar to host C2 infrastructure

The report also mentions how threat actors are increasingly favoring legitimate cloud services to host malicious infrastructure. This is partly because public cloud services offer cheap and reliable infrastructure that enterprises trust. Threat actors use public cloud services to blend into large volumes of legitimate traffic and avoid detection.

For several years, threat actors have abused cloud-based storage to host campaign infrastructure, deliver malware, act as malware C2, and upload exfiltrated data. Abusing Google Calendar is the latest emerging trend. In June 2023, an independent developer published proof of concept code to GitHub for “Google Calendar RAT.” Google has not yet seen this Google Calendar RAT in the wild but has noted multiple threat actors sharing it on underground forums clearly indicating some level of interest.

This tool uses Google Calendar events for C2 purposes. It allows a threat actor to place commands in the event description field of calendar events. The Google Calendar RAT periodically polls the calendar event description for new commands, executes them, and updates the event description with the command output.

The developer of the malware claims that it communicates exclusively via legitimate Google infrastructure to evade detection.

Typosquatting abuse across cloud storage platforms

Threat actors are evolving their tactics to include typosquatting attacks on cloud storage platforms like Google Cloud Storage, Amazon S3, and Azure Blob.

Cloud storage names are globally unique across cloud providers but are not bound specifically to an organization. Because of this, a threat actor can forge a company’s name if a bucket name is available. Likewise, if the exact spelling of a company name is not available, a threat actor can resort to a typosquatting attack. In a survey, Google found that roughly 60% of organizations had one or more typosquatted cloud storage URLs.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The discovery of the Google Calendar RAT PoC, although not yet observed in the wild, clearly demonstrates continued interest in abusing cloud services to blend in with legitimate traffic.

Google’s report goes on to talk about various TTPs for compromising cloud environments. What’s interesting is that their data indicates victims in the cloud are not compromised by groundbreaking complex or advanced attacks and are often the result of common and well-known TTPs. This helps defenders and security professionals when trying to understand where to prioritize detection efforts.

2. BlueNoroff hacks macOS machines with ObjCshellz malware

Researchers at Jamf Threat Labs are attributing North Korea’s BlueNoroff nation-state actor to a previously undocumented macOS malware called ObjCShellz. The malware is being used as part of the RustBucket malware campaign which first came to light in April 2023.

Discovery and background

Jamf recently identified a new malware variant called ObjCShellz, which they have attributed to the BlueNoroff APT group. BlueNoroff is believed to be a subordinate element of the Lazarus Group and tends to carry out financially motivated attacks. The actor frequently attacks target capital firms, banks, and cryptocurrency exchanges.

Jamf discovered the new malware variant during routine threat hunting. In this case, it identified a Mach-O universal binary that was communicating with a domain previously determined to be malicious. The executable was not detected as malicious on VirusTotal when it was first discovered.

The binary, ProcessRequest, is ad-hoc signed and was observed communicating with swissborg[.]blog. The malware splits the C2 URL into two separate strings that get linked together to evade static detection. This domain aligns with other activity that has been previously associated with BlueNoroff — specifically the RustBucket campaign.

BlueNoroff’s RustBucket association

In the RustBucket campaign, the threat actor reaches out to a victim pretending to be interested in partnering with them or offering them something while posing as an investor or headhunter.

BlueNoroff then creates a domain that looks like it belongs to a legitimate crypto company to blend in with trusted network activity. The swissborg domain aligns with this activity as swissborg is used by a legitimate cryptocurrency exchange.

The swissborg[.]blog domain was created in May 2023 and revealed several additional URLs being used for the malware’s communication. The domain also resolves to an IP address that has been previously associated with malware used by BlueNoroff.

Technical details

• The malware is written in Objective-C. It’s a rather simple remote shell with the purpose of executing shell commands sent from the attack server.
• Initial access is unconfirmed at this time as the malware is being used at a later stage to manually run commands after the system is compromised.
• The malware differs from other types in the RustBucket campaign but still seems to provide a basic remote shell capability.
• When executed, the malware will call a function titled sendRequest to send a POST message to a hardcoded swissborg URL. It then gains information about the malware process itself before determining the macOS version.
• The main function of the program is to initialize an instance of the ProcessRequest class before setting up a repeating timer. The timer will trigger the sendRequest method at regular intervals to ensure periodic network requests occur.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This malware seems to be limited, offering a simple remote shell and executing shell commands it receives. Because of its simplicity and lack of data available regarding initial access, it’s believed to be used as a later-stage malware on a system that’s already compromised.

That said, it’s important to understand the various TTPs that BlueNoroff commonly uses. By familiarizing yourself with its TTPs, it’s possible to spot malicious activity well before ObjCShellz is deployed.

3. ChatGPT-powered infostealer targets cloud platforms

Researchers have discovered a Python-based infostealer and hacktool called Predator AI that targets cloud services.

Predator AI’s developer implemented a ChatGPT-driven class into the Python script to make the tool easier to use and serve as a single text-driven interface between features. The infostealer does not appear to be production-ready yet but does illustrate how threat actors are beginning to realistically incorporate AI to improve their workflows.

What is Predator AI?

Predator AI is being advertised on various Telegram channels related to hacking. Its main purpose is to facilitate web app attacks against a range of technologies like content management systems and cloud email services like Amazon Simple Email Service (SES). It is a multi-purpose tool that is still under active development.

Technical details about Predator AI

• Predator is a Python application with over 11,000 lines of code.
• It runs through a Tkinter-based GUI. There is no standalone command line interface mode, which sets it apart from many other similar tools.
• The script has 13 defined global classes that segment various features. This includes inflating the size of a file, creating fake error messages, building an infostealer as a Windows PE, querying the OpenAI API, and more.
• Predator’s web app attacks look for common weaknesses, misconfigurations, and vulnerabilities. It targets technologies like Drupal, Joomla, Laravel, Magento, OpenCart, osCommerce, PrestaShop, vBulletin, and WordPress.

The GPTj class

The GPTj class contains the actual Predator AI features. This feature is a chat-like text processing interface that connects the user to Predator’s features. It looks for local solutions before querying the OpenAI API to reduce the API consumption.

The GPTj class searches the input from a user for strings associated with a known use case. Sentinel One found over 100 cases where Predator handled the data either internally or through a free third-party service. The class also contains some partially implemented utilities related to both AWS SES and Twilio along with utilities to gather information about IP addresses and phone numbers. Predator will only query the ChatGPT API if there is no test case to handle the received input.

AWS features

This core utility is currently present within the script. However, not AWS-related functions are available. Sentinel One believes this is likely because the features are still being developed.

The script will parse the input for the presence of aws.c and will call the following functions if present:

• Check all email accounts in an AWS SES environment.
• Check send quotas.
• Create a new account, assign administrative privileges, and delete the old account.

About the StealerBuilder class

The StealerBuilder class contains the configuration variables needed to build an infostealer. Last month the developer posted a video detailing this stealer build process. The developer also confirmed that the executable is fully undetectable.

The stealer can be configured to use either Discord or Telegram webhooks for its C2 communication.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The emergence of something like Predator AI is nothing short of expected given the buzz around AI/LLM.

While this tool is a step towards increased adoption of AI by threat actors, Predator AI is only somewhat functional. As Sentinel One notes, at this point, the integration doesn’t substantially increase an attacker’s ability.

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.