News
SentinelLabs has identified a new Python-based infostealer and hacktool called ‘Predator AI’ that is designed to target cloud services.
November 2023 by SentinelLabs
Predator AI is advertised through Telegram channels related to hacking. The main purpose of Predator is to facilitate web application attacks against various commonly used technologies, including content management systems (CMS) like WordPress, as well as cloud email services like AWS SES. However, Predator is a multi-purpose tool, much like the AlienFox and Legion cloud spamming toolsets. These toolsets share considerable overlap in publicly available code that each repurposes for their brand’s own use, including the use of Androxgh0st and Greenbot modules.
Predator is an actively developed project. In September 2023, a member of the primary Telegram channel inquired about Predator adding a Twilio account checker, to which the developer replied they could deliver in about 2 weeks. In October, the developer posted an update showing the new Twilio checking feature. The version we analysed has Twilio features, which suggests it is a recent build.
At the top of the script, there is a message from the developer which states that the tool is protected by copyright law. The message also has a disclaimer saying the tool is for educational purposes and the author does not condone any illegal use.
Predator is a Python application with over 11,000 lines. The application runs entirely through a Tkinter-based graphical user interface (GUI): there is no standalone command line interface (CLI) mode, which distinguishes Predator from many similar tools. The Tkinter approach requires several JSON configuration files.
Key points
• SentinelLabs has identified a new Python-based infostealer and hacktool called ‘Predator AI’ that is designed to target cloud services.
• The Predator AI developer implemented a ChatGPT-driven class into the Python script, which is designed to make the tool easier to use and to serve as a single text-driven interface between disparate features.
• These advancements are not production-ready but demonstrate that actors can realistically use AI to improve their workflows by automating data enrichment and adding context to scanner results.
Conclusion
The discovery of Predator AI is an entirely expected evolution that has previously been undocumented in the hacktool space. Since the recent wave of AI technologies entered the public domain, security professionals have questioned whether this technology was already aiding threat actors and how it could be used to scale actor operations. There were several projects like BlackMamba that ultimately were more hype than the tool could deliver. Predator AI is a small step forward in this space: the actor is actively working on making a tool that can utilise AI.
While Predator AI is likely somewhat functional, this integration does not substantially increase an attacker’s capability. The feature has not yet been advertised on the actor’s Telegram channel, and there are likely many edge cases that make it unstable and potentially expensive.
Like other cloud service attack tools, organisations can reduce the impacts of these tools by keeping web services patched and up to date, as well as keeping internet access restricted to what is necessary. Use cloud security posture management (CSPM) tools to validate that configurations are secure. Consider dedicated logging and detections for anomalous behaviours on cloud service provider (CSP) resources, such as new user accounts being added and the deletion of another user account immediately after.
