205. Adversaries Use an LLM to Generate Commands to be Executed on Compromised Systems
Hello everyone!
Finally, an interesting case of LLM abuse! I'm talking about LameHug. The malware relies on the Hugging Face API to generate commands according to given prompts.
For example, the malware used LLM to generate reconnaissance and data theft commands. LameHug is distributed vis phishing emails. Attached archives contain PIF files, for example.
So, we can check for any PIF files resolving Hugging Face related domains:
event_type: "dnsreqwin"
AND
dns_rname: *huggingface*
AND
proc_file_path: *pif
Also a good idea would be to profile communications with Hugging Face API to exclude known-good and be able to detect suspicious events.
See you tomorrow!
Comments
Post a Comment