Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: PaloAlto

Intel Name:: New_Variants_of_Golang_Based_Ransomhub_Ransomware

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: PaloAlto researchers have discovered new variations of Golang-based Ransomhub ransomware, which tout enhanced features such as quick encryption and avoiding VM shutdowns while using the same gobfuscate obfuscation approach as before.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-24-new-Ransomhub-verson-or-variant.txt

Intel Source:: ASEC

Intel Name:: Malicious_LNK_Targeting_Financial_Entities

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: ASEC researchers have identified a new campaign targeting domestic financial entities using malicious LNK sent through emails with malicious URLs. The URL download a ZIP file name Request for confirmation of project information in accordance with the request of financial authorities.zip. However malicious ZIP file is downloaded, it includes a regular PDF and a fake Excel file. The PDF requests updates on cryptocurrency projects to trick users into opening the file, which hides PowerShell commands and hard to detect. The scripts then steal user information and download more malicious files, sending the stolen data to a specific URL.

Source: https://asec.ahnlab.com/ko/68266/

Intel Source:: CERT-UA

Intel Name:: Activity_of_UAC_0102_Group

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: CERT-UA researchers have found the UAC-0102 group distributing emails with attachments in the form of archives containing an HTML file. opening the file redirects the user to a web resource that imitates the web page of the UKR.NET service. If the user enters their login and password, the authentication data is sent to the attackers, and a document is downloaded to the victim's computer as a bait.

Source: https://cert.gov.ua/article/6280183

Intel Source:: Google Cloud

Intel Name:: Exploiting_APT45

Date of Scan:: 2024-07-26

Impact:: MEDIUM

Summary:: Mandiant researchers have observed that APT45 has been involved in various cyber operations that aligned with the shifting geopolitical interests of the North Korean state. Initially, APT45 focused on spying on government agencies and defense industries. Recently, they have shifted to financially-motivated operations, targeting the financial sectors.

Source: https://cloud.google.com/blog/topics/threat-intelligence/apt45-north-korea-digital-military-machine

Intel Source:: Morphisec

Intel Name:: IT_Crash_Fallout

Date of Scan:: 2024-07-26

Impact:: HIGH

Summary:: Researchers from Morphisec have found that a recent faulty configuration file in CrowdStrike's Falcon platform caused a significant IT disruption, making millions of Windows machines unusable. This multi-day outage affected crucial sectors such as airlines, banks, and hospitals. The incident highlighted the significant responsibility and potential risks of allowing third-party security solutions to access the kernel.

Source: https://blog.morphisec.com/blast-radius-fallout-strengthening-cyber-resilience-after-the-largest-it-crash

Intel Source:: Esentire

Intel Name:: Gh0stGambit_A_New_Variant_of_Gh0stRAT

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: Researchers from eSentire have discovered several Gh0st RAT infections originating from fake Chrome browser installer packages. These infections start with a new variant called Gh0stGambit, which is designed to secretly download and run encrypted malware. The malware is downloaded when users search for Chrome online and try to download a file named ChromeSetup.msi. The operation targets entities such as embassies, foreign ministries, government offices, and the Dalai Lama's Tibetan exile centers in India, London, and New York City.

Source: https://www.esentire.com/blog/a-dropper-for-deploying-gh0st-rat

Intel Source:: ASEC

Intel Name:: LummaC2_Malware_Update

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: ASEC Researcher have observed LummaC2 which is a malware designed to steal information, disguised as illegal software like cracks, keygens, and game hacks. It spreads through websites, YouTube, LinkedIn and search engine ads that mimic pages for Notion, Slack, and Steam. It can be delivered as a single EXE file or a compressed file with a malicious DLL. LummaC2 has changed dynamically, and its new version can use a legitimate website to change the C2 domain whenever the attacker wants.

Source: https://asec.ahnlab.com/en/68309/

Intel Source:: Wiz blog

Intel Name:: Hackers_Exploiting_Selenium_Grid

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: Wiz researchers have observed an ongoing threat campaign called “SeleniumGreed” where hackers exploit exposed Selenium Grid services to mine cryptocurrency. They are Selenium WebDriver features to run Python scripts that download a XMRig miner.

Source: https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps

Intel Source:: CrowdStrike

Intel Name:: New_Phishing_Scam_Targeting_German_Customers

Date of Scan:: 2024-07-26

Impact:: HIGH

Summary:: A spearphishing endeavor involving a counterfeit CrowdStrike Crash Reporter installer that is widespread through a German organization’s mimicking website has been identified by CrowdStrike Intelligence. It is noteworthy to report that the website was registered with a sub-domain registrar and appears to have been created on July 20, 2024, one day after an issue that affected Windows operating systems and was found in a single content update for CrowdStrike's Falcon sensor was discovered and fixed.

Source: https://www.crowdstrike.com/blog/malicious-inauthentic-falcon-crash-reporter-installer-spearphishing/

Intel Source:: PaloAlto

Intel Name:: Domain_Hosting_Pages_For_Paris_Olympics_Scams

Date of Scan:: 2024-07-26

Impact:: LOW

Summary:: Researchers at PaloAlto have cautioned users about fake Paris 2024 Olympic scams. They uncovered a large number of domains, including recently registered ones, that offered fake internet data giveaways. These scam pages request a phone number, trick victims into sharing with WhatsApp friends, and promote more false surveys.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-07-25-Paris-2024-Olympics-scams.txt

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page