Summary:
Google Cloud is enhancing its malware analysis capabilities through the integration of advanced tools like Code Interpreter and Google Threat Intelligence (GTI). These advancements aim to improve the detection and deobfuscation of malware, enabling a more autonomous approach to threat intelligence.
Keypoints:
Google Cloud aims to empower security professionals with modern tools for threat defense.
Gemini is being equipped with capabilities to address obfuscation techniques and provide real-time insights on indicators of compromise (IOCs).
Code Interpreter allows Gemini to create and execute code for deobfuscating strings and code sections autonomously.
GTI function calling enables Gemini to retrieve contextual information on URLs, IPs, and domains from malware samples.
Gemini 1.5 Pro and 1.5 Flash enhance scalability and automate binary unpacking to tackle obfuscation techniques.
Obfuscation tactics used by malware developers often conceal critical IOCs and logic.
Gemini autonomously generated a report analyzing a PowerShell script with an obfuscated URL.
The report confirmed the script’s malicious nature and its association with a phishing campaign by threat actor UNC5687.
MITRE Techniques
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Obfuscated Files or Information (T1027): Uses obfuscation techniques to hide the true nature of files or information, making detection more difficult.
Remote Access Tools (T1219): Employs remote access tools to maintain control over compromised systems.
IoC:
[URL] hxxps://filedn[.]eu/lODWTgN8sswHA6Pn8HXWe1J/tox2/Scan_docs%2398097960[.]msi
[Threat Actor] UNC5687
[Malware] MESHAGENT
[Campaign] Phishing campaign impersonating the Security Service of Ukraine
Full Research: https://cloud.google.com/blog/topics/threat-intelligence/gemini-malware-analysis-code-interpreter-threat-intelligence/