1、#BHUSA BlackHatEventsBylineHacker Dropping Mid-Heist SelfiesLLM Identifies Information Stealer Infection Vectors and Extracts IoCEstelle Ruellan,Threat Intelligence ResearcherOlivier Bilodeau,Principal Cybersecurity Researcherflare.ioWho Are We?2Olivier BilodeauEstelle RuellanCyber Threat Intelligen
2、ce ResearcherMathematics and Criminology BackgroundFormer student athleteLoves data science,shapes and colorsBaby serial presenter:BlackHat,DEFCON,NorthSec,ShmooCon,Botconf,Hack.lu15 years cybersecurity industry experiencePrincipal Cybersecurity Researcher at FlareFormer GoSecure,ESET.Founder MontrH
3、ackNorthSecs PresidentSerial presenter:DEFCON,BlackHat,SecTor,Botconf,CERT-EU,AtlSecConHonorable mentions:flare.ioAgenda1.The Information Stealer Malware Phenomenon2.Mid-Heist Selfies3.The LLM Pipeline4.Prompt Engineering5.LLM Assessment6.Discriminating IoCs7.Inside the Infostealer Playbook8.Success
4、ful Campaigns:2 Case Studies9.Strength and Limits10.Conclusionflare.ioAgenda1.The Information Stealer Malware Phenomenon2.Mid-Heist Selfies3.The LLM Pipeline4.Prompt Engineering5.LLM Assessment6.Discriminating IoCs7.Inside the Infostealer Playbook8.Successful Campaigns:2 Case Studies10.Conclusion9.S
5、trength and Limitsflare.io5The Malware you(may)have never heard of:5What is an Infostealer?Administrative rights NOT required!&No Persistence!User downloads softwareIndividual logs are packaged togetherLog Files are distributed in Telegram ChannelsInfostealer grabs:-credentials-crypto wallets-browse
6、r data Malware is executed on victim computerData exfiltrated to C2 infrastructureflare.io6 6Stealer Log Structurecrazy_cloud_daily.zip78a5g6fdg.zipun347y8erf.zipjnh2389dfv.zipjnkdf89345.zipuni34r893.zipHere is the daily update for Jan 27th!crazy_cloud_daily.zipFrom:Cr4zy Cl0ud 2025!1flare.io7 7Stea