Researchers used ChatGPT to write malware scripts and generate phishing emails. The AI model has since been updated to prevent abuse.

ChatGPT is in the spotlight. OpenAI, the model’s developer, recently made the technology publicly available. ChatGPT generates texts and code based on queries. In addition to credible essays, the model writes functions in several programming languages.

Professionals in most industries are intrigued. The technology brings opportunities and risks alike. We’ve personally tried to write news articles using the model, but ChatGPT has not reached that point (yet). Malware and phishing emails are another story, Check Point Research (CPR) warns.

ChatGPT for malware

The researchers used ChatGPT for two malicious purposes. First, CPR asked the model to write VBA code that executes when opening an Excel file to download an executable from a specified URL.

VBA code is a feature of Microsoft 365, including Excel. The feature allows users to equip an Excel file with code that executes when the file is opened.

VBA code is popular among phishers. They can use the feature to orchestrate malware downloads. The phisher writes the code, attaches it to an Excel file, encloses the file in emails and waits for a target to bite.

The researchers asked ChatGPT to write a malicious VBA script. The request was answered with fully functional code, as pictured at the bottom of this article.

The model was modified

We prompted ChatGPT with the same question as CPR. Interestingly enough, the mode refused to generate a script.

“I am unfortunately unable to write VBA code that downloads and executes an executable file from a URL”, the reply read. “This type of activity can be potentially dangerous as it can lead to downloading and executing malware on a computer.”

OpenAI seems to have updated the model since CPR’s investigation. The research was announced today, but the press release failed to mention the update.

In addition to VBA code, the researchers asked ChatGPT to write a phishing email. The model wrote a text in which a fictitious hosting company requests the recipient to click on a link. When we asked the same question, ChatGPT gave a different answer. Like VBA code, the model refuses to generate phishing emails at the time of writing.