AI is enhancing both malware development and antivirus analysis, particularly improving de-obfuscation capabilities but still struggling with complex packing and newer frameworks like Flutter and Rust. Fortinet’s protections already cover the malware families mentioned, ensuring customer safety against these evolving threats. #LinuxLadvixE #LinuxPrometeiB #SpyLoan #FilecoderBRtr
Keypoints
- Malware authors and antivirus engineers are increasingly using AI to enhance malware complexity and reverse engineering processes.
- AI currently assists effectively with code obfuscation removal but is not yet capable of automated unpacking of packed malware binaries.
- New malware frameworks and languages such as Flutter and Rust pose challenges for AI-assisted analysis, whereas older languages like Delphi are handled well due to existing training data.
- AI-generated decompilations can simplify malware analysis by removing compiler-inserted functions and producing more readable source code.
- Malware authors may respond to AI advancements by adopting more complex obfuscation and newer programming environments, but AI tools can rapidly adapt through continuous learning.
- Fortinet’s FortiGuard Antivirus service currently detects and protects against Linux/Ladvix.E, Linux/Prometei.B, SpyLoan, and Linux/Filecoder.BR!tr malware samples.
- Examples of related malware demonstrate the evolving cat-and-mouse dynamic in cybersecurity, with AI shifting advantages toward antivirus defenders.
MITRE Techniques
- [T1027] Obfuscated Files or Information – AI was used to analyze and de-obfuscate standard code obfuscation and junk code within malware such as Linux/Ladvix.E (‘AI successfully analyzed the obfuscation algorithm… and implemented a working de-obfuscator’).
- [T1140] Deobfuscate/Decode Files or Information – AI aids in reconstructing readable source code from obfuscated malware binaries, improving understanding of malicious functions (‘AI smartly removes inner calls and produces source code easier to read than Ghidra’).
- [T1059] Command and Scripting Interpreter – The malware samples employ high-level languages and frameworks (Go, Rust, Flutter, Delphi) that affect command interpretation and reverse engineering complexity (‘AI struggles with Flutter and Rust malware but can reconstruct readable Dart code after Blutter output’).
- [T1514] Rootkit – Packing and obfuscation techniques are used by malware authors to evade detection, requiring unpacking which current AI and disassemblers cannot fully automate (‘unpacking is a difficult task that current disassemblers can’t do either’).
Indicators of Compromise
- [File Hash] malware sample hashes – 943e1539d07eaffa4799661812c54bb67ea3f97c5609067688d70c87ab2f0ba4 (Linux/Ladvix.E), cc7ab872ed9c25d4346b4c58c5ef8ea48c2d7b256f20fe2f0912572208df5c1a (Linux/Prometei.B), c65298b6cd5a1769c747a0c7fb589ffa12fdf832b64787283953eaa57b65bc1c (SpyLoan!Android), c08a752138a6f0b332dfec981f20ec414ad367b7384389e0c59466b8e10655ec (Linux/Filecoder.BR!tr)