Check Point Research demonstrates that AI assistants with web-browsing and URL-fetch capabilities (e.g., Grok and Microsoft Copilot) can be abused as covert command-and-control relays by having the model fetch attacker-controlled URLs and return responses, enabling bidirectional C2 without API keys or accounts. This technique can be combined with WebView2-based implants and prompt-driven workflows to create AI-Driven malware that dynamically decides actions, prioritizes targets and data, and evades traditional detection controls. #Grok #MicrosoftCopilot
Keypoints
- Check Point Research demonstrated using Grok and Microsoft Copilot web interfaces as covert C2 relays by embedding attacker-controlled URLs into prompts and parsing AI responses.
- The PoC used a fake HTTPS “Siamese cat” website and URL query parameters to exfiltrate host reconnaissance and receive executable commands from the AI output.
- Malware can run this flow headlessly by embedding a browser (WebView2) in a native app, submit prompts, parse responses, and execute returned commands (e.g., calc execution shown).
- Simple encoding/encryption of query data bypassed model-side safeguards, and anonymous web access removes API keys/accounts as effective kill switches.
- AI-Driven malware shifts decision logic from static code to model-driven prompts, enabling dynamic triage, target prioritization, and adaptive tactics (anti-sandbox, selective exfiltration, targeted ransomware/wipers).
- Mitigations require both AI providers hardening web-fetch features and defenders treating AI domains as sensitive egress with monitoring and hunting for unusual automated usage.
MITRE Techniques
- [T1071.001 ] Web Protocols – Used to tunnel C2 and exfiltrate data via HTTP(S) requests and URL query parameters (‘sending a prompt that causes the AI agent to issue an HTTP(S) request to an attacker-controlled URL, retrieve content, and return the attacker’s response via the AI output’).
- [T1102 ] Web Service – Abuse of legitimate web-based AI services (Grok, Copilot) as covert command-and-control relays (‘AI assistants with web-browsing and URL-fetch capabilities can be abused as covert command-and-control relays’).
- [T1041 ] Exfiltration Over C2 Channel – Victim host data is appended to C2 URLs and transferred out through the AI-mediated web fetch (‘victim data flows out via URL query parameters, and attacker commands flow back in through AI-generated responses’).
- [T1027 ] Obfuscated Files or Information – Encoding/encrypting query data to bypass model-side sanitization and detection (‘simply encrypting or encoding the data in a high-entropy blob is enough to bypass these checks’).
- [T1218 ] Signed Binary Proxy Execution – Leveraging legitimate platform components (WebView2 runtime) to perform web interactions and hide malicious traffic within normal system binaries (‘we used WebView2… The WebView2 runtime is preinstalled on all Windows 11 systems’).
- [T1059.007 ] Command and Scripting Interpreter: JavaScript – Using in-page JavaScript to submit prompts to Copilot’s UI from the embedded browser to automate prompt submission (‘the flow… uses JavaScript inside the loaded page to submit the prompt to the Copilot UI’).
Indicators of Compromise
- [Domains ] AI provider and C2 endpoints – copilot.microsoft.com, grok.com (used as AI web interfaces), and a fake HTTPS C2 domain hosting the Siamese cat site.
- [URLs / Query parameters ] Exfiltration channel and command delivery – example parameter “my_breed_data” used to trigger command-visible content, and appended encoded data in URL query strings.
- [Commands / Executables ] Remote command execution artifacts – demonstrated execution of “calc” (calc.exe) returned via AI response and references to generated PowerShell snippets for follow-on actions.
- [Runtime / Component ] Embedded browser runtime used by implants – WebView2 runtime (preinstalled on Windows 11) used to host the AI web interface within malware.
- [Framework / Tool ] Mentioned C2 frameworks and agents – Voidlink referenced as an example of AI-assisted C2 development and AIOps-style C2 concept.