Hackers are using AI to dissect threat intelligence reports and ‘vibe code’ malware
TrendMicro has called for caution on how much detail is disclosed in security advisories
Threat intelligence reports play a crucial role in helping enterprises keep tabs on emerging threats. These blog posts detail the tactics, techniques, and procedures (TTPs) of a threat group or dissect the makeup of a particular malware strain.
New research, however, shows they could also be doing more harm than good. According to research from Trend Micro, hackers are now using AI to analyze these reports and use them to refine their tactics.
The study showed large language models (LLMs) can translate technical blogs into “partial malicious code” in a dark twist on the “vibe coding” trend.
This not only allows threat actors to speed up attacks or reverse engineer malware strains, it also helps them mimic other group’s TTPs, creating challenges with the attribution of attacks.
Speaking to ITPro, Robert McArdle, Director of Forward Threat Research at Trend Micro, said the company’s findings highlight the latest example of cyber criminals jumping on the vibe coding bandwagon to wreak havoc.
“We already know that cyber criminals are using vibe coding,” McArdle said. “We’ve seen that in their discussions on criminal forums. We’ve seen existing malware that very much looks like it was vibe coded.”
“It got us thinking, what if you can actually clone an analysis by a researcher to try to re-implement the malware from what they've described?”
McArdle told ITPro the company decided to test this by using AI tools to dissect its own blog posts, which showed some initial promise.
“What came back was quite good,” he said. “It wasn’t the final product. It did need a little bit of tweaking to get it to work, but it certainly took a lot of work out of the way.”
This ‘lightening of the load’ is a key concern, McArdle noted. While AI tools are unlocking productivity gains for workers on the right side of the law, they’re proving equally powerful for criminals.
Worse still, these tools are helping lower the barrier to entry for up-and-coming cyber criminals and accelerating processes for those with a higher level of technical know-how.
“AI lets you jump from your current level of proficiency up to the next level faster,” he told ITPro. “So if you’re a complete novice and you know very little about code, you can vibe code a reasonably okay malware.”
“If you're already skilled and you go to an in-depth analysis of something even more advanced, then it certainly helps you get up to speed on that faster and go from those examples and have some sort of working code," McArdle continued. “So in each case it levels up the skill set of the attacker.”
Time to tone down the technical details?
Faced with this, McArdle said Trend Micro’s view on threat intelligence reports is that industry providers should consider toning down the technical details.
The company itself has taken this on board and McArdle said a key factor in releasing this research was to raise awareness and let industry counterparts know what’s going on.
“We often release these [threat intelligence reports] to raise awareness, to let people know that you know something is going on,” he said.
“Within those, it's the level of detail that you put in the post that’s the difference. We need to let people know this new attack is happening. Here's the main details you need to know to defend yourself. Here's the bigger world context, and so on,” McArdle added.
“But we probably don't always need to go down to the low-level code of ‘this is exactly how this was implemented, from start to finish’.”
“The more and more you go to that level, the more an AI is capable of reconstructing an approximation of the malware from it,” he said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
The channel is heading straight for an AI infrastructure wallIndustry Insights AI ambition is accelerating faster than channel infrastructures, however data architecture and enterprise readiness can support
-
Logitech’s new keyboard and mouse aim to make you as comfortable as possible while you work from home (or in the office)News The Signature Comfort Plus keyboard and mouse are soft and padded, and full of customisable buttons
-
AI is shrinking attack windows, and it’s forcing a complete rethink of cyber resilience – here’s how organizations can prepareNews Commvault has urged companies to improve their business continuity and resilience plans in the face of flaws spotted by AI
-
Google says AI is now being used to build zero-days – and we just narrowly avoided a 'mass exploitation event'News Google cyber researchers think they’ve found the first AI-generated zero-day exploit
-
Claude users beware, hackers are using a fake website to dupe developers and deliver malwareNews 'Beagle' is deployed through a Dynamic Link Library (DLL) sideloading chain, and gives attackers remote access to the system
-
UK firms left in the dark over what workers are sharing with AINews Security teams can’t keep track of what workers are sharing with AI applications, regardless of whether they’re approved or unauthorized
-
North Korean hackers are duping freelance developers with fake interviews to steal cryptocurrency and deliver malware — Sophos warns the 'Nickel Alley' group is using LinkedIn, Upwork, and Fiverr to target victimsNews A fake interview process uses coding tests and repo downloads to deliver malware
-
AI is now a ‘standard part of the attacker toolkit’News Cyber attacks are increasing in scale, intensity, and velocity thanks to AI, and it’s forcing defenders to react faster than ever before
