Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Elastic Security Labs

Intel Name:: Latrodectus_Malware_Loader_Found_in_Phishing_Campaigns_Replacing_IcedID

Date of Scan:: 2024-05-21

Impact:: LOW

Summary:: Researchers at Elastic Security Labs have seen an increase in email phishing campaigns that deliver Latrodectus, a newly developed malware loader that is believed to be the IcedID malware successor, beginning in early March 2024. These campaigns usually involve a known infection chain with large JavaScript files that use WMI to launch msiexec.exe and install an MSI file that is hosted remotely on a WEBDAV share.

Source: https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus

Intel Source:: Any.Run

Intel Name:: New_Hijack_Loader_Variant

Date of Scan:: 2024-05-21

Impact:: MEDIUM

Summary:: Security researchers discovered a new version of Hijack Loader, which decrypts and parses a PNG image to load its second-stage payload. That second stage features a modular architecture, with its primary aim being the injection of the main instrumentation module.

Source: https://any.run/cybersecurity-blog/new-hijackloader-version/ https://any.run/malware-trends/hijackloader

Intel Source:: Security Intelligence

Intel Name:: Multi_Component_Banking_Trojan_and_Its_Expanding_LATAM_Focused_Campaigns

Date of Scan:: 2024-05-20

Impact:: MEDIUM

Summary:: A sophisticated banking trojan operating globally as a Malware-as-a-Service (MaaS). It targets over 1500 banking applications across 60+ countries, with a recent surge in phishing campaigns impersonating government entities in Latin America. These campaigns, notably in Mexico and Argentina, employ urgent messages to lure victims into downloading malicious files disguised as legitimate documents. With advanced features like string decryption and dynamic domain generation, Grandoreiro poses a significant threat to online banking security, highlighting the evolving landscape of cyber threats in the region.

Source: https://securityintelligence.com/x-force/grandoreiro-banking-trojan-unleashed/

Intel Source:: Cyble

Intel Name:: A_Sophisticated_Android_Banking_Trojan_Targeting_Multilingual_Users

Date of Scan:: 2024-05-20

Impact:: MEDIUM

Summary:: Antidot, a newly identified Android Banking Trojan, camouflages itself as a Google Play update application, featuring multilingual fake update pages to broaden its victim pool. Employing sophisticated tactics like overlay attacks, keylogging, and WebSocket communication with a Command and Control (C&C) server, Antidot enables real-time interaction for executing malicious commands, including SMS collection and remote device manipulation. Notably, it utilizes MediaProjection to implement VNC for remote control of compromised devices. This discovery, alongside recent findings on the Brokewell Android Banking Trojan by Cyble Research and Intelligence Labs (CRIL), underscores the escalating sophistication of mobile malware threats.

Source: https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/

Intel Source:: Uptycs

Intel Name:: XMRig_Malware_Deployment_and_Defensive_Strategies

Date of Scan:: 2024-05-17

Impact:: LOW

Summary:: Researchers from Uptycs have discovered a significant, ongoing operation within the Log4j campaign, identified through their honeypot collection. This campaign involves over 1700 dedicated IPs and aims to deploy XMRig cryptominer malware onto targeted systems.

Source: https://www.uptycs.com/blog/log4j-campaign-xmrig-malware

Intel Source:: Forcepoint

Intel Name:: An_Examination_of_Metamorfo_Banking_Trojan

Date of Scan:: 2024-05-17

Impact:: LOW

Summary:: Researchers at Forcepoint have noticed a rise in the incidence of banking trojans recently and they delved into one specific campaign. This malware, also known as Metamorfo, spreads by malspam campaigns that entice victims to click on HTML attachments. After it is clicked, a sequence of actions is started with the goal of collecting system metadata.

Source: https://www.forcepoint.com/blog/x-labs/exploring-metamorfo-banking-malware

Intel Source:: Proofpoint

Intel Name:: SugarGh0st_RAT_Aiming_at_US_Artificial_Intelligence_Experts

Date of Scan:: 2024-05-16

Impact:: MEDIUM

Summary:: Researchers at Proofpoint have discovered a SugarGh0st RAT campaign that targeting organizations in the United States engaged in artificial intelligence efforts, including as those in government, private sector, and academia. They identify the cluster responsible for this activity as UNK_SweetSpecter.

Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-artificial-sweetener-sugargh0st-rat-used-target-american

Intel Source:: Palo Alto

Intel Name:: Embedded_payloads_abuse_Microsoft_OneNote_files

Date of Scan:: 2024-05-16

Impact:: MEDIUM

Summary:: The article by Ashkan Hosseosh Chitwadgi from Palo Alto Networks' Unit 42 blog discusses the increasing use of Microsoft OneNote for embedding malicious payloads, primarily for phishing. Analyzing around 6,000 OneNote samples, reveals that 99.9% contain images to lure users. Attackers exploit OneNote's flexibility to embed various payloads like JavaScript, VBScript, PowerShell, and HTA, shifting from traditional macros. The article details the payload types, sizes, and methods to identify them, emphasizing the need for robust cybersecurity measures, including Palo Alto Networks' solutions. It concludes with a technical analysis of a specific payload, highlighting OneNote's versatility as an attack vector.

Source: https://unit42.paloaltonetworks.com/payloads-in-malicious-onenote-samples/

Intel Source:: Welivesecurity

Intel Name:: Infiltration_of_a_European_Ministry_of_Foreign_Affairs

Date of Scan:: 2024-05-16

Impact:: LOW

Summary:: ESET researchers have uncovered the Lunar toolset, believed to be wielded by the Turla APT group, infiltrating a European ministry of foreign affairs (MFA) and its diplomatic missions abroad. This comprehensive analysis delves into two newly discovered backdoors, LunarWeb and LunarMail, employed in these breaches. Operating since at least 2020, the Lunar toolset employs advanced techniques like steganography and intricate communication methods to evade detection. The attackers, with a history of targeting high-profile entities, including governmental and diplomatic organizations, demonstrate sophisticated tactics. The post outlines victimology, initial access routes, and the complex workings of the Lunar toolset, shedding light on the intricate methods utilized by the threat actor.

Source: https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/

Intel Source:: ASEC

Intel Name:: Leveraging_Tesseract_for_Image_File_Exfiltration

Date of Scan:: 2024-05-16

Impact:: LOW

Summary:: ASEC researchers have uncovered a new tactic employed by ViperSoftX attackers, utilizing the Tesseract OCR engine to exfiltrate users image files. ViperSoftX, a persistent malware strain, is known for executing attackers commands and stealing cryptocurrency-related information. This highlights the recent discovery of ViperSoftX's utilization of Tesseract, focusing on its modus operandi and recent developments. The malware reads images stored on infected systems and extracts strings using Tesseract.

Source: https://asec.ahnlab.com/en/65426/

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page