Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2023-09-22
Investigation_into_WinRAR_Vulnerability
LOW
+

Intel Source:
McAfee
Intel Name:
Investigation_into_WinRAR_Vulnerability
Date of Scan:
2023-09-22
Impact:
LOW
Summary:
McAfee researchers examined a sample that exploited the major RCE vulnerability CVE-2023-38831. It has to do with an RCE flaw in WinRAR prior to version 6.23. The problem arises because a ZIP archive could contain a harmless file (such a regular.JPG file) as well as a folder with the same name as the innocent file, and when you try to access just the harmless file, the contents of the folder (which might have executable information) are processed.


Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/

2023-09-22
Drinik_Malware_Returns_to_Threaten_Indian_Taxpayers
LOW
+

Intel Source:
Cyble
Intel Name:
Drinik_Malware_Returns_to_Threaten_Indian_Taxpayers
Date of Scan:
2023-09-22
Impact:
LOW
Summary:
Researchers from Cyble have noticed that the Drinik malware showed increased activity levels that were timed to coincide with the deadline for filing Indian income tax returns. Drinik malware’s most recent version includes a number of recently introduced features.


Source:
https://cyble.com/blog/indian-taxpayers-face-a-multifaceted-threat-with-drinik-malwares-return/

2023-09-22
A_Banker_Server_Side_Components_Analysis
LOW
+

Intel Source:
Checkpoint
Intel Name:
A_Banker_Server_Side_Components_Analysis
Date of Scan:
2023-09-22
Impact:
LOW
Summary:
A recent campaign utilizing a new form of the BBTok banker and operating in Latin America was recently uncovered by Check Point researchers. In the study, we focus on recently identified infection chains that employ a special mix of Living off the Land Binaries (LOLBins).


Source:
https://research.checkpoint.com/2023/behind-the-scenes-of-bbtok-analyzing-a-bankers-server-side-components/

2023-09-22
Targeting_Telcos_with_a_LuaJIT_Toolkit
LOW
+

Intel Source:
Sentilone
Intel Name:
Targeting_Telcos_with_a_LuaJIT_Toolkit
Date of Scan:
2023-09-22
Impact:
LOW
Summary:
A series of cyberattacks against telecommunicator providers in the Middle East, Western Europe, and the South Asian subcontinent have been linked to a hitherto unknown threat actor known as Sandman. It is noteworthy that the incursions use the just-in-time (JIT) LuaJIT compiler to deliver the unique LuaDream implant.


Source:
https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/

2023-09-22
Analysis_of_SmokeLoaders_Plugins
LOW
+

Intel Source:
Bitsight
Intel Name:
Analysis_of_SmokeLoaders_Plugins
Date of Scan:
2023-09-22
Impact:
LOW
Summary:
A well-known malware family with a history spanning more than ten years is called SmokeLoader. The primary function of this malware is to download and drop additional malware families. However, the owners of SmokeLoader also market plugins that give the primary module new features. These plugins give an affiliate the ability to gather a variety of information from compromised PCs, including emails, cookies, passwords, and browser data.


Source:
https://www.bitsight.com/blog/smokeloaders-plugins

2023-09-22
The_Evil_Alliance_Between_GuLoader_And_Remcos
LOW
+

Intel Source:
Checkpoint
Intel Name:
The_Evil_Alliance_Between_GuLoader_And_Remcos
Date of Scan:
2023-09-22
Impact:
LOW
Summary:
Remcos and GuLoader have a close relationship, according to Checkpoint researchers. Remcos is hard to employ for nefarious reasons because antivirus programs may quickly detect it. However, Remcos can get around antivirus defense by using GuLoader. During this investigation, they found that GuLoader is now marketed as a crypter that renders its payload completely immune to antivirus software on the same platform as Remcos and is implicitly sold under a different name.


Source:
https://research.checkpoint.com/2023/unveiling-the-shadows-the-dark-alliance-between-guloader-and-remcos/

2023-09-21
Advisory_on_Snatch_Ransomware
MEDIUM
+

Intel Source:
CISA
Intel Name:
Advisory_on_Snatch_Ransomware
Date of Scan:
2023-09-21
Impact:
MEDIUM
Summary:
FBI and CISA released joint Cybersecurity Advisory about Snatch Ransomware which shared IOCs, tactics, techniques, and procedures linked with the Snatch ransomware variant. Snatch threat actors are acting as a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.


Source:
https://www.cisa.gov/sites/default/files/2023-09/joint-cybersecurity-advisory-stopransomware-snatch-ransomware_0.pdf

2023-09-21
Fake_WinRAR_PoC_Exploit_Drops_VenomRAT
LOW
+

Intel Source:
PaloAlto
Intel Name:
Fake_WinRAR_PoC_Exploit_Drops_VenomRAT
Date of Scan:
2023-09-21
Impact:
LOW
Summary:
Researchers from Palo Alto have discovered a hacker attempting to infect downloaders with the VenomRAT malware by disseminating a phony proof-of-concept (PoC) exploit for a newly patched WinRAR vulnerability on GitHub.


Source:
https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/

2023-09-21
Attack_on_MS_SQL_Servers_by_HiddenGh0st_Malware
LOW
+

Intel Source:
ASEC
Intel Name:
Attack_on_MS_SQL_Servers_by_HiddenGh0st_Malware
Date of Scan:
2023-09-21
Impact:
LOW
Summary:
Recently, ASEC researchers verified the spread of a Gh0st RAT variant that targets poorly managed MS-SQL servers and installs the Hidden rootkit. An open-source rootkit called Hidden, which is available to everyone on GitHub, has the capacity to protect processes and hide files, registry entries, and even itself.


Source:
https://asec.ahnlab.com/en/57185/

2023-09-21
P2Pinfect_Botnet_Targeting_Redis_and_SSH_Services
LOW
+

Intel Source:
Cado Security
Intel Name:
P2Pinfect_Botnet_Targeting_Redis_and_SSH_Services
Date of Scan:
2023-09-21
Impact:
LOW
Summary:
According to Cado Security researchers, P2Pinfect compromises have been seen in China, the United States, Germany, the UK, Singapore, Hong Kong, and Japan. Since August 28, a new peer-to-peer botnet named P2Pinfect that targets the free source Redis and SSH services has apparently seen a remarkable 600-times rise in traffic, including a 12.3% increase over the previous week.


Source:
https://www.cadosecurity.com/cado-security-labs-researchers-witness-a-600x-increase-in-p2pinfect-traffic/

 

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.

What's New from Threat Labs

  • Blog
    Securonix Threat Labs Monthly Intelligence Insights – August 2023
    Learn More
  • Blog
    Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware
    Learn More
  • Blog
    Securonix Threat Labs Monthly Intelligence Insights – July 2023
    Learn More

Threat Labs Archives

  • Threat Research