SentinelLabs research has discovered Predator AI, a new and dangerous hacking tool that is currently being promoted through hacking-related Telegram channels.
This malicious program is intended to help cybercriminals perform web application attacks on widely used technologies such as WordPress and AWS SES. Predator AI, like other hacking programs such as AlienFox and Legion, repurposes publicly accessible code, such as Androxgh0st and Greenbot modules.
More details about Predator AI
Predator AI is a project that is actively being worked on. A member of its Telegram channel requested a Twilio account checker in September 2023, which the developer produced within two weeks.
This draws attention to current development activities. An update in October highlighted the new Twilio checking feature, confirming that Predator AI is constantly evolving.
At the top of the Predator script, the developer asserts copyright protection and clarifies that the program is exclusively for educational purposes.
Any unauthorized usage is denied, giving the developer legal protection. It is crucial to highlight, however, that Predator is being used for nefarious purposes.
Predator is also a Python application with about 11,000 lines of code that runs through a Tkinter-based graphical user interface (GUI). It differs from similar utilities in that it lacks a standalone command line interface (CLI). Tkinter employs a number of JSON configuration files.
The script is divided into 13 global classes, each with its own set of methods and features that add to the tool’s capabilities.
Targeted Technologies
Predator is designed to target various web services and technologies, including:
- Aimon (SMS marketing)
- AWS SES (email platform)
- Aruba (hosting)
- Clickatell (SMS marketing)
- ClickSend (SMS marketing)
- Twilio (SMS, Voice, Video communications)
- Nexmo (Voice & SMS)
- OneSignal (SMS, Push Notifications)
- Openpay (ceased operations in February 2023)
- PayPal (Live environment & Sandbox API keys)
- Plivo (Voice & Messaging)
- Razorpay (Payment Processor)
- Skebby (SMS Marketing)
- Stripe (Payment Processor)
- Telnyx (Voice, Messaging, Fax)
- Textlocal (SMS Marketing)
- Valueleaf (Marketing)
- XGATE (Marketing & CRM)
Predator’s web application attacks aim to exploit vulnerabilities in popular technologies like Drupal, Joomla, Laravel, Magento, OpenCart, osCommerce, PrestaShop, vBulletin, and WordPress.
AWS Features and TwilioChecker
Predator AI incorporates AWS-related functionality that allow attackers to conduct operations such as verifying email accounts in AWS SES, checking send quotas, creating new accounts, assigning administrative privileges, and removing old accounts using genuine AWS account credentials. TwilioChecker requests the Twilio API and records the results.
StealerBuilder
Predator includes a StealerBuilder class that can be used to create an infostealer. The operator can use this functionality to configure parameters and insert infostealer code into an existing executable. This infostealer’s functionality and detectability remain unknown.
The Implications
SentinelLabs discovered Predator AI, which represents an unexpected evolution in the area of hacking tools.
While it is an actively developing tool with advanced capabilities, its impact may be less than expected. Predator AI has not received widespread publicity, implying potential stability and cost difficulties.
To lessen the impact of technologies like Predator AI, enterprises and people should keep online services up to date, limit internet access, and secure setups using cloud security posture management (CSPM) solutions.
It is also recommended that cloud service provider (CSP) resources have dedicated logging and anomaly detection.
Predator AI serves as a sharp reminder of the continuous war against cyber dangers and the necessity for digital vigilance.