Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2024-06-17
Korean_Corporations_ERP_Server_and_Installs_VPN_Server
MEDIUM
+
Intel Source:
ASEC
Intel Name:
Korean_Corporations_ERP_Server_and_Installs_VPN_Server
Date of Scan:
2024-06-17
Impact:
MEDIUM
Summary:
The AhnLab Security Intelligence Center has discovered a cyberattack on a Korean corporation's ERP server, where the attacker exploited a vulnerable MS-SQL service. Initially, the threat actor scanned the network, gathered system information, and tested payload downloads. They then installed a web shell for persistent access and control, ultimately deploying SoftEther VPN to use the compromised system as a VPN server. The configuration indicated a "cascade connection," suggesting the VPN server was linked to another VPN server, likely to establish a more secure and private command and control (C&C) infrastructure.
Source: https://asec.ahnlab.com/en/66843/
2024-06-17
TA571_and_ClearFake_Exploiting_PowerShell
LOW
+
Intel Source:
Proofpoint
Intel Name:
TA571_and_ClearFake_Exploiting_PowerShell
Date of Scan:
2024-06-17
Impact:
LOW
Summary:
Researchers from Proofpoint have discovered that hackers are using a technique to trick people into running harmful PowerShell scripts on their computers. This technique involves showing a fake error message and asking users to copy and paste malicious scripts into PowerShell or the Windows Run dialog box. Hackers like TA571 and the ClearFake group are using this method to spread malware such as DarkGate, Matanbuchus, NetSupport, and other data-stealing software.
Source: https://www.proofpoint.com/us/blog/threat-insight/clipboard-compromise-powershell-self-pwn
2024-06-17
NetSupport_Campaign_Delivering_via_MSIX_Packages
LOW
+
Intel Source:
ISC.SANS
Intel Name:
NetSupport_Campaign_Delivering_via_MSIX_Packages
Date of Scan:
2024-06-17
Impact:
LOW
Summary:
ISC.SANS researchers have discovered several malicious MSIX packages on VT that drop a NetSupport client that is ready to call home to a manager under the control of the attacker. Attackers benefit from remote support tools because they offer an ideal means of communication with compromised systems without requiring the development of their own C2 infrastructure and protocol. While certain programs, like AnyDesk or TeamViewer, are well-known and frequently looked up as signs of compromise, other programs, like NetSupport, are more likely to go unnoticed. This one has all the anticipated capabilities to communicate with victims and is free for 30 days.
Source: https://isc.sans.edu/diary/rss/31018
2024-06-17
Noodle_RAT_Backdoor_Used_by_Chinese_Speaking_Groups
MEDIUM
+
Intel Source:
Trend Micro
Intel Name:
Noodle_RAT_Backdoor_Used_by_Chinese_Speaking_Groups
Date of Scan:
2024-06-17
Impact:
MEDIUM
Summary:
Researchers from Trend Micro have identified a new malware called Noodle RAT, also known as ANGRYREBEL or NoodRAT, targeting attacks in the Asia-Pacific region. It has both Windows and Linux versions with unique attributes. The Windows version, Win.NOODLERAT, runs in memory and requires specific loaders MULTIDROP and MICROLOAD. It is used by various APT groups for spying and communicates via TCP, SSL, and HTTP, using encryption. The Linux version, Linux.NOODLERAT, supports TCP and HTTP and is also used by various groups for both financial and espionage purposes. Noodle RAT can attack both Windows and Linux systems and keeps getting more advanced, making it a major threat.
Source: https://www.trendmicro.com/en_us/research/24/f/noodle-rat-reviewing-the-new-backdoor-used-by-chinese-speaking-g.html
2024-06-17
Kimsuky_group_launched_a_cyber_espionage_campaign
HIGH
+
Intel Source:
GBhackers
Intel Name:
Kimsuky_group_launched_a_cyber_espionage_campaign
Date of Scan:
2024-06-17
Impact:
HIGH
Summary:
A threat researcher from BlackBerry, shared an article on LinkedIn identifying that the North Korean state-sponsored group Kimsuky launched a cyber-espionage campaign targeting a Western European weapons manufacturer. Their attack vector started with a spear-phishing email sent to employees of the targeted organization. The threat group's new tools were used showcasing their evolving capabilities. Their main target was a Western European weapons manufacturer, highlighting the strategic importance of the defense sector and deceptive Lure, the attackers used a well-known military contractor, “General Dynamics”.
Source: https://gbhackers.com/north-korean-kimsuky-attacking/
2024-06-14
Matanbuchus_Malware
LOW
+
Intel Source:
Esentire
Intel Name:
Matanbuchus_Malware
Date of Scan:
2024-06-14
Impact:
LOW
Summary:
Researchers at eSentire have noticed a rise in observations of Matanbuchus malware. The loader-type malware known as Matanbuchus was first discovered in 2021. It has been used to launch several secondary payloads, including Danabot, Qakbot, and Cobalt Strike. In recent findings, malicious web-browser advertising (Malvertising) were utilized to drive viewers to threat actor-controlled web pages. Users were asked to download a ZIP file from the website. Matanbuchus is deployed after extracting and interacting with the ZIP file's contents. All recent instances were interrupted prior to the delivery of a secondary payload.
Source: https://www.esentire.com/security-advisories/matanbuchus-malware
2024-06-14
SolarMarker_Impersonates_as_Indeed_Job_Site_with_Team_Building_Theme
MEDIUM
+
Intel Source:
Esentire
Intel Name:
SolarMarker_Impersonates_as_Indeed_Job_Site_with_Team_Building_Theme
Date of Scan:
2024-06-14
Impact:
MEDIUM
Summary:
Researchers at Esentire uncovered the SolarMarker infection incident. This Incident originating from a fake website masquerading as the job search platform Indeed. The infection occurs when a user searching for workplace team-building ideas is redirected to this malicious site, where they unknowingly download malware that appears to be a legitimate document but is the SolarMarker malware. This malware employs advanced techniques like encrypted backdoors and manipulation to infect systems. It deploys malicious tools such as StellarInjector and SolarPhantom to steal data and gain hidden access to machines.
Source: https://www.esentire.com/blog/solarmarker-impersonates-job-employment-website-indeed-with-a-team-building-themed-lure
2024-06-14
Analysis_of_the_Qilin_RaaS
LOW
+
Intel Source:
BushidoToken Threat Intel
Intel Name:
Analysis_of_the_Qilin_RaaS
Date of Scan:
2024-06-14
Impact:
LOW
Summary:
Qilin ransomware has been active since at least May 2022 and is named after a mythical Chinese beast pronounced "Chee-lin". However, it is thought that this threat group of cybercriminals originated in Russia. Qilin is a Ransomware-as-a-Service (RaaS) platform, which means that hackers outside of the main Qilin team (also known as ransomware affiliates) can use it to launch ransomware attacks. The Qilin RaaS will handle payload creation, stolen data dissemination, and ransom negotiations.
Source: https://blog.bushidotoken.net/2024/06/tracking-adversaries-qilin-raas.html
2024-06-14
Diving_Deep_into_Botnet_911S5_Digital_Legacy
LOW
+
Intel Source:
NetLab
Intel Name:
Diving_Deep_into_Botnet_911S5_Digital_Legacy
Date of Scan:
2024-06-14
Impact:
LOW
Summary:
According to the analysis of the 360 ​​Threat Intelligence Center, 911S5 started operating in 2014 and was shut down in July 2022. It changed its name again in October 2023 and continued its evil work under the alias CloudRouter. It was eventually destroyed by multinational law enforcement in May 2024. The 911S5 botnet is known for its high-profile activity, lengthy running duration, and 19 million IP addresses spread across several nations. Law enforcement activities led to its overturn, but its digital legacy remains a real and significant threat to cyberspace.
Source: https://blog.netlab.360.com/911s5/
2024-06-14
PHP_vulnerability_under_active_exploit
MEDIUM
+
Intel Source:
Bitdefender
Intel Name:
PHP_vulnerability_under_active_exploit
Date of Scan:
2024-06-14
Impact:
MEDIUM
Summary:
Bitdefender has also notified about the active exploitation of the vulnerability in PHP. CVE-2024-4577 is a critical flaw affecting PHP versions 5.x and newer on Windows servers, enabling attackers to remotely execute PHP code on compromised servers. This vulnerability originates from how PHP manages character conversions, particularly for languages such as Chinese or Japanese. Exploiting this flaw allows attackers to gain control over servers, posing risks to data confidentiality, system integrity, and availability. Cybercriminals, including groups like "TellYouThePass," have been actively scanning and exploiting this vulnerability for malicious purposes.
Source: https://www.bitdefender.com/blog/businessinsights/technical-advisory-cve-2024-4577-php-vulnerability-under-active-exploit/

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.