Full Report
Google's Threat Intelligence Group (GTIG) has identified a major shift this year, with adversaries leveraging artificial intelligence to deploy new malware families that integrate large language models (LLMs) during execution. [...]
Analysis Summary
As a Malware Analyst and TTPs Specialist, here is the summary based on the provided context regarding AI-powered malware identified by Google's Threat Intelligence Group (GTIG).
---
# Tool/Technique: PromptFlux (Experimental Dropper)
## Overview
PromptFlux is an experimental VBScript dropper that utilizes Google's Gemini Large Language Model (LLM) during execution to dynamically generate obfuscated variants of itself. Its novelty lies in its "Thinking Robot" module designed to query the LLM for updated code aimed at evading antivirus software, leading towards a "metamorphic script."
## Technical Details
- Type: Malware Family (Dropper)
- Platform: Windows (implied by VBScript and Startup folder usage)
- Capabilities: Dynamic code generation, VBScript obfuscation, persistence establishment, and lateral movement across network shares/removable drives.
- First Seen: This year (specific date not provided).
## MITRE ATT&CK Mapping
*Due to the experimental nature and limited detail on full execution chain, preliminary mappings based on observed behavior are listed.*
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Via generated obfuscated VBScript variants)
- T1562 - Impair Defenses
- T1562.001 - Impair Defenses: Disable or Modify Tools (Implied goal via A/V evasion queries)
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Via Startup folder entries)
- **TA0008 - Lateral Movement**
- T1021 - Remote Services (Implied via spreading on mapped network shares)
## Functionality
### Core Capabilities
- Leverages the Gemini LLM via API to request new code tailored for evading security products.
- Attempts persistence by creating entries in the Startup folder.
- Spreads laterally across removable drives and mapped network shares.
### Advanced Features
- **"Thinking Robot" Module:** Periodically queries the LLM with specific, machine-parsable prompts to obtain code for circumventing antivirus detection.
- **Metamorphic Capability:** Aims to become an ever-evolving script through dynamic modification prompted by the LLM.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided, but is a VBScript dropper]
- Registry Keys: [Startup folder entries used for persistence]
- Network Indicators: [Potential egress traffic to Gemini API endpoints, specific domains not provided/defanged]
- Behavioral Indicators: Periodic external network calls with machine-parsable prompts related to A/V evasion; creation of files/scripts in the Startup folder.
## Associated Threat Actors
- Not attributable to a specific threat actor based on Google's analysis, but suggested to be financially motivated.
## Detection Methods
- **Signature-based detection:** Likely signatured after Google acted upon it, potentially detecting specific hardcoded prompts or the VBScript structure.
- **Behavioral detection:** Monitoring for anomalous VBScript execution attempting self-modification or querying external, potentially proprietary APIs (LLM interactions).
- **YARA rules:** Could be developed based on the unique structure of the "Thinking Robot" function or specific markers used in its Gemini prompts.
## Mitigation Strategies
- **Prevention measures:** Disabling API access for known malicious actors (as Google took action against associated accounts).
- **Hardening recommendations:** Strict monitoring of network egress to unvetted or suspicious external APIs, especially those that might facilitate dynamic code delivery. Monitoring Startup folder modifications.
## Related Tools/Techniques
- **PromptSteal (LameHug):** Also leverages LLMs for dynamic script generation and data theft commands.
- **General LLM Abuse:** Threat actors leveraging LLMs for code obfuscation, phishing lure creation, and C2 enhancement.
---
# Tool/Technique: PromptSteal (a.k.a. LameHug)
## Overview
A data miner deployed in Ukraine that utilizes LLMs to dynamically generate commands, specifically tailored for Windows data theft, in real-time during execution.
## Technical Details
- Type: Malware Family (Data Miner)
- Platform: Windows
- Capabilities: Real-time generation of data theft commands using LLMs.
- First Seen: This year (specific date not provided).
## MITRE ATT&CK Mapping
*Focuses heavily on interaction with the LLM for command generation.*
- **TA0007 - Credential Access**
- T1003 - OS Credential Dumping (Implied goal of data miner)
- **TA0011 - Collection**
- T1119 - Automated Collection (Via dynamic command generation)
## Functionality
### Core Capabilities
- Integrates LLM functionality to craft Windows data theft commands on the fly.
### Advanced Features
- Dynamic script generation based on real-time LLM output to maximize data exfiltration capabilities.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Not provided]
- Network Indicators: [Not provided]
- Behavioral Indicators: Execution paths consistent with data mining leveraging external AI communication during operation.
## Associated Threat Actors
- Not specified, but linked to operations in Ukraine.
## Detection Methods
- Monitoring for executables that heavily interact with language model APIs during their primary operational phase.
## Mitigation Strategies
- Network filtering to restrict communication with known LLM provider APIs from unexpected processes.
## Related Tools/Techniques
- PromptFlux (Uses LLM for dynamism and evasion).
---
# Tool/Technique: FruitShell
## Overview
A PowerShell reverse shell identified by Google that has been enhanced with built-in, hard-coded prompts designed primarily to bypass LLM-powered security analysis tools.
## Technical Details
- Type: Malware (Reverse Shell)
- Platform: Windows (PowerShell execution environment)
- Capabilities: Establishes remote C2 access and executes arbitrary commands. Includes LLM evasion prompts.
- First Seen: This year (specific date not provided).
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Application Layer Protocol: Web Protocols (Implied C2 channel)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - Command and Scripting Interpreter: PowerShell
## Functionality
### Core Capabilities
- Provides persistent, remote access to the compromised host via a PowerShell reverse shell.
### Advanced Features
- **LLM Bypass Prompts:** Contains embedded textual prompts intended to fool security solutions that use LLMs for behavioral analysis or sandbox evasion.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [PowerShell scripts or encoded payloads]
- Behavioral Indicators: Outbound connections from PowerShell processes to non-standard C2 addresses.
## Associated Threat Actors
- Not specified.
## Mitigation Strategies
- PowerShell logging and monitoring (Script Block Logging).
- Implementing endpoint detection rules specifically targeting known LLM evasion strings or patterns within scripts.
## Related Tools/Techniques
- OSSTUN C2 Framework (Enhanced by APT41 using Gemini for assistance).
---
# Tool/Technique: QuietVault
## Overview
A JavaScript-based credential stealer that targets GitHub and NPM tokens. It uses on-host AI CLI tools and prompts to discover and exfiltrate additional secrets.
## Technical Details
- Type: Malware (Credential Stealer)
- Platform: Systems running JavaScript environments (likely Windows/Linux with local tool chains).
- Capabilities: Steals GitHub/NPM tokens; uses local AI CLI tools to search for *additional* secrets. Exfiltration occurs via dynamically created public GitHub repositories.
- First Seen: This year (specific date not provided).
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Password Stores: Credentials in Files (Targeting tokens stored in configuration files/environments)
- **TA0010 - Exfiltration**
- T1048 - Exfiltration Over Alternative Protocol
- T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration to Cloud Storage (Using public GitHub repos)
## Functionality
### Core Capabilities
- Targets common developer secrets (GitHub, NPM tokens).
- Exfiltrates collected data by pushing it to newly created, public GitHub repositories.
### Advanced Features
- **Local AI Augmentation:** Leverages on-host AI command-line interface (CLI) tools to dynamically expand its search parameters, looking for more secrets based on local context.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [JavaScript files, potentially disguised]
- Network Indicators: Outbound connections associated with Git/GitHub API calls originating from unusual processes; creation of public GitHub repositories by the actor.
## Associated Threat Actors
- Not specified.
## Mitigation Strategies
- Strict egress filtering to control environments authorized to interact with GitHub APIs.
- Monitoring for JavaScript execution attempting to interact with OS command-line tools for reconnaissance.
## Related Tools/Techniques
- Agents abusing LLMs for data analysis/SQL generation (APT42).
---
# Tool/Technique: PromptLock
## Overview
An experimental ransomware that relies on Lua scripts to perform both the encryption of data and the theft of that data prior to encryption, utilizing AI integration in its design.
## Technical Details
- Type: Malware (Ransomware)
- Platform: Windows, macOS, and Linux (Cross-platform capability via Lua).
- Capabilities: Data exfiltration followed by file encryption. Relies on Lua scripting engine.
- First Seen: This year (specific date not provided).
## MITRE ATT&CK Mapping
- **TA0011 - Command and Control** (Implied C2 for key delivery/status)
- **TA0010 - Exfiltration** (Pre-encryption data theft)
- **TA0012 - Impact**
- T1486 - Data Encrypted for Impact (Ransomware core function)
## Functionality
### Core Capabilities
- Steals data resident on the host.
- Encrypts files using Lua scripts as the engine for execution logic.
### Advanced Features
- Experimental integration of AI components to potentially automate parts of the infection or encryption process.
## Indicators of Compromise
- File Hashes: [Not provided]
- File Names: [Lua scripts, file extensions modified by encryption]
- Behavioral Indicators: File access patterns consistent with rapid encryption across multiple file types; high inbound/outbound network traffic before encryption completes (data theft).
## Associated Threat Actors
- Not specified.
## Mitigation Strategies
- Regular, verified backups.
- Application control policies restricting execution of unsigned Lua scripts, especially those exhibiting file modification behaviors.
## Related Tools/Techniques
- General Ransomware TTPs augmented by AI features.
---
# Core Technique: Just-in-Time Self-Modification
## Overview
A major shift in adversary TTPs where malware dynamically alters its code during runtime by leveraging LLMs. This allows malware to achieve operational versatility previously impossible to attain with static binaries, potentially rendering traditional static analysis obsolete.
## Technical Details
- Type: Technique
- Platform: Platform-agnostic, as it relies on the execution environment of the integrating malware (e.g., VBScript host, PowerShell environment).
- Capabilities: Dynamic adaptation, metamorphic capabilities, real-time bypass code generation.
- First Seen: Significant shift identified *this year*.
## MITRE ATT&CK Mapping
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Perpetually changing obfuscation)
- **TA0003 - Persistence** (If used to update persistence mechanisms)
## Functionality
### Core Capabilities
- Integrating LLMs (like Gemini) into the execution loop.
- Receiving newly generated code segments to evade security products *mid-execution*.
### Advanced Features
- Creation of "metamorphic script" capabilities driven by external, adaptive knowledge sources (LLMs).
## Indicators of Compromise
- Behavioral Indicators: Processes making high-frequency, structured network connection requests to LLM public APIs during malware execution phases; rapid, non-deterministic changes in process memory or file contents after initial detection vectors are bypassed.
## Associated Threat Actors
- Financially motivated groups (PromptFlux indicated).
- China-nexus actors (Observed using LLMs to enhance C2 frameworks).
- Iranian actors (MuddyCoast/UNC3313, APT42).
- North Korean actors (Masan/UNC1069, Pukchong/UNC4899).
## Detection Methods
- **Behavioral detection:** Detecting suspicious API calls related to cloud-based LLM services originating from process types not expected to use them (e.g., VBScript host, shell environments).
- **Network Defense:** Monitoring for communication patterns indicative of prompt/response exchanges with LLM endpoints.
## Mitigation Strategies
- Strict network segmentation and Zero Trust principles to limit external access for endpoint processes.
- Investing in advanced runtime analysis capable of tracking code origins and execution flow changes originating from external calls.
## Related Tools/Techniques
- The use of LLMs by various threat actors (APT41, MuddyCoast) to enhance existing tools (e.g., OSSTUN) or develop new capabilities (linguistic phishing lures).