205. Adversaries Use an LLM to Generate Commands to be Executed on Compromised Systems

Hello everyone!

Finally, an interesting case of LLM abuse! I'm talking about LameHug. The malware relies on the Hugging Face API to generate commands according to given prompts.

For example, the malware used LLM to generate reconnaissance and data theft commands. LameHug is distributed vis phishing emails. Attached archives contain PIF files, for example. 

So, we can check for any PIF files resolving Hugging Face related domains:

event_type: "dnsreqwin"

AND

dns_rname: *huggingface*

AND

proc_file_path: *pif

Also a good idea would be to profile communications with Hugging Face API to exclude known-good and be able to detect suspicious events.

See you tomorrow! 

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

082. Huniting for Malicious Browser Extensions

001. The Zeltser Challenge