Threat Research

WormGPT and FraudGPT – The Rise of Malicious LLMs

Securonix

The article analyzes two malicious large language model (LLM) offerings, WormGPT and FraudGPT, advertised on underground forums for cybercrime use, including malware development and phishing assistance. It also examines how these tools compare to legitimate AI like ChatGPT, the underground ecosystem hosting them, and the potential threat they pose to cybersecurity. #WormGPT #FraudGPT #HackForums #ExploitForum

Keypoints

  • WormGPT and FraudGPT are marketed as unrestricted LLMs designed to aid cybercriminals, with WormGPT advertised on English-speaking forums and FraudGPT on Dark Web boards and Telegram channels.
  • WormGPT originated in March 2021 and began selling access around June 2021; it runs on an older GPT-J model and is priced at €60–€100 per month or €550 per year, with a v2 version priced higher (€550/year and a €5,000 private build).
  • FraudGPT debuted in July 2023 as an unrestricted alternative to ChatGPT, with pricing spanning monthly to yearly subscriptions and claims to enable undetectable malware creation, phishing pages, and phishing SMS.
  • Trustwave SpiderLabs documents demonstrations showing WormGPT writing malware in Python, generating convincing phishing emails (e.g., impersonating a company CEO), and crafting phishing pages for scams such as Bank of America.
  • The underground ecosystem features advertisements on Hack Forums and Exploit Forum, plus activity on Dark Web boards and Telegram channels, highlighting a global and ongoing interest in malicious LLMs.
  • Analysts compare WormGPT/FraudGPT capabilities with ChatGPT in controlled tests, noting that even with requests tuned to be white-hat, the malicious tools reveal the persistent risk of AI-enabled cybercrime.
  • The article underscores the need for vigilance as AI weapons evolve, and it documents how attackers reference MITRE ATT&CK concepts within underground discussions.

MITRE Techniques

  • [T1059.006] Command and Scripting Interpreter: Python – WormGPT writes malware on Python according to malicious requirements. [“WormGPT writes malware on Python according to malicious requirements”]
  • [T1566] Phishing – FraudGPT described as capable of creating phishing pages, writing phishing emails, and facilitating phishing via SMS. [“FraudGPT is described as a great tool for creating undetectable malware, writing malicious code, finding leaks and vulnerabilities, creating phishing pages, and for learning hacking.”]
  • [T1588] Obtain Capabilities – Access to WormGPT and FraudGPT enables criminals to develop malware and other capabilities. [“The underground market offers WormGPT and FraudGPT to enable criminals to develop malware.”]

Indicators of Compromise

  • [Domain] Hack Forums – platform where WormGPT advertising appeared and access was marketed; context: English-speaking audience.
  • [Domain] Exploit Forum – another English/Russian-speaking arena hosting WormGPT-related ads; context: advertising campaigns and pricing.
  • [Platform] Dark Web boards; Telegram channels – venues where FraudGPT promotions and sales were posted; context: ongoing availability and pricing variations.
  • [Malware/Tool] WormGPT; FraudGPT – the actual named tools discussed as malicious LLMs used for malware development and phishing content creation.
  • [Target/Organization] Bank of America – referenced in phishing demonstrations (phishing pages) to impersonate a major financial institution.
  • [URL] Trustwave/MITRE source page – https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wormgpt-and-fraudgpt-the-rise-of-malicious-llms/ – source of the article and demonstrations.

Read more: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wormgpt-and-fraudgpt-the-rise-of-malicious-llms/