Focus Mode
Threat Research

Beyond Flesh and Code: Building an LLM-Based Attack Lifecycle With a Self-Guided Malware Agent

Deepinstinct
Beyond Flesh and Code: Building an LLM-Based Attack Lifecycle With a Self-Guided Malware Agent
This article discusses the integration of older automation tools with large language models (LLMs) to enhance malware development and delivery methods, including the use of tools like Mantis and Stopwatch.ai for reconnaissance and obfuscation. It highlights the potential of LLMs in creating convincing phishing attacks and guiding malware operations, ultimately leading to a more sophisticated attack lifecycle. Affected: Mantis, Stopwatch.ai, EvilGoPhish, Ollama

Keypoints :

  • Older automation tools like Mantis can automate information gathering about potential victims.
  • LLMs can generate or modify code snippets for malicious payloads.
  • Many chatbots claiming to build malware are scams; however, some open-source LLMs can generate malicious code.
  • Stopwatch.ai can reduce detection rates by obfuscating code but is less effective with complex code.
  • PentestGPT excels at obfuscating source code, significantly reducing detection rates.
  • LLMs can create convincing spear-phishing emails and fake content to deliver malware.
  • EvilGoPhish tool performs well when combined with LLMs to generate realistic phishing attacks.
  • LLMs can be used to guide malware operations, acting as a command and control (C2) mechanism.
  • Custom encryption and command execution mechanisms can be implemented for stealthy malware operations.
  • Unrestricted LLMs can enhance malware capabilities, allowing for advanced attacks.

MITRE Techniques :

  • TA0001 – Initial Access: Using LLMs to generate convincing phishing emails.
  • TA0002 – Execution: LLM-guided malware executing commands based on LLM instructions.
  • TA0003 – Persistence: Adding persistence mechanisms to malware guided by LLMs.
  • TA0004 – Privilege Escalation: Utilizing unrestricted LLMs to escalate privileges during attacks.
  • TA0005 – Defense Evasion: Obfuscating source code with LLMs to evade detection.

Indicator of Compromise :

  • [domain] github[.]com
  • [tool name] Mantis
  • [tool name] Stopwatch.ai
  • [tool name] EvilGoPhish
  • [tool name] Ollama
  • Check the article for all found IoCs.

Full Research: https://www.deepinstinct.com/blog/beyond-flesh-and-code-building-an-llm-based-attack-lifecycle-with-a-self-guided-agent

Tags: INITIAL ACCESS, WINDOWS, RECONNAISSANCE, DEFENSE EVASION, PRIVILEGE, SOCIAL MEDIA, PHISHING, PERSISTENCE