Date: 12/23/2024
Severity: High
Summary
Recent advancements in the code understanding capabilities of LLMs have raised concerns about their misuse to generate novel malware. While LLMs struggle to create malware from scratch, criminals can leverage it to rewrite or obfuscate existing malware, complicating detection efforts. Traditional obfuscation tools are well-known to defenders, making their output easier to detect. However, prompts to LLMs can produce transformations that appear more natural, significantly increasing the challenge of identifying such malware.
Indicators of Compromise (IOC) List
Domains\Urls : | bafkreihpvn2wkpofobf4ctonbmzty24fr73fzf4jbyiydn3qvke55kywdi.ipfs.dweb.link jakang.freewebhostmost.com/korea/app.html dub.sh/TRVww78?email= ipfs.io/ipfs/bafkreihzqku7sygssd6riocrla7wx6dyh5acszguxaob57z4sfzv5x55cq |
Hash : |
03d3e9c54028780d2ff15c654d7a7e70973453d2fae8bdeebf5d9dbb10ff2eab
4f1eb707f863265403152a7159f805b5557131c568353b48c013cad9ffb5ae5f
3f0b95f96a8f28631eb9ce6d0f40b47220b44f4892e171ede78ba78bd9e293ef |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domains\Urls : | userdomainname like "bafkreihpvn2wkpofobf4ctonbmzty24fr73fzf4jbyiydn3qvke55kywdi.ipfs.dweb.link" or url like "bafkreihpvn2wkpofobf4ctonbmzty24fr73fzf4jbyiydn3qvke55kywdi.ipfs.dweb.link" or userdomainname "jakang.freewebhostmost.com/korea/app.html" or url like "jakang.freewebhostmost.com/korea/app.html" or userdomainname "dub.sh/TRVww78?email=" or url like "dub.sh/TRVww78?email=" or userdomainname "ipfs.io/ipfs/bafkreihzqku7sygssd6riocrla7wx6dyh5acszguxaob57z4sfzv5x55cq" or url like "ipfs.io/ipfs/bafkreihzqku7sygssd6riocrla7wx6dyh5acszguxaob57z4sfzv5x55cq" |
Hash : |
sha256hash IN ("03d3e9c54028780d2ff15c654d7a7e70973453d2fae8bdeebf5d9dbb10ff2eab","4f1eb707f863265403152a7159f805b5557131c568353b48c013cad9ffb5ae5f","3f0b95f96a8f28631eb9ce6d0f40b47220b44f4892e171ede78ba78bd9e293ef") |
Reference:
https://unit42.paloaltonetworks.com/using-llms-obfuscate-malicious-javascript/