Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2023-05-30
Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
MEDIUM
+

Intel Source:
NSA / Secureworks
Intel Name:
Chinese_APT_Group_BRONZE_SILHOUETTE_Targeting_US_Government_and_Defense_Organizations
Date of Scan:
2023-05-30
Impact:
MEDIUM
Summary:
SecureWorks researchers have discovered a cluster of activity of interest associated with a People’s Republic of China (PRC) state-sponsored cyber actor, also known as Volt Typhoon. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide.


Source:
https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF

2023-05-30
Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
LOW
+

Intel Source:
Cyble
Intel Name:
Obsidian_ORB_Ransomware_Demanding_Payment_With_Gift_Cards
Date of Scan:
2023-05-30
Impact:
LOW
Summary:
Cyble researchers have come across a new and unique ransomware strain named Obsidian ORB. Extensive analysis has revealed compelling evidence that suggests a significant correlation between Obsidian ORB Ransomware and the underlying source code of the notorious Chaos ransomware.


Source:
https://blog.cyble.com/2023/05/25/obsidian-orb-ransomware-demands-gift-cards-as-payment/

2023-05-30
Ducktail_Malware_targets_a_high_profile_accounts
LOW
+

Intel Source:
Cyble
Intel Name:
Ducktail_Malware_targets_a_high_profile_accounts
Date of Scan:
2023-05-30
Impact:
LOW
Summary:
Recently Cyble researchers recently discovered Ducktail malware that targets specifically Marketing and HR professionals. The malware is designed to extract browser cookies and take advantage of social media sessions to steal sensitive information from the victim’s Social Media account. The malware operation purpose is to gain control of Social Media Business accounts with adequate access privileges. TAs then use their acquired access to conduct advertisements for their financial gain.


Source:
https://blog.cyble.com/2023/05/17/ducktail-malware-focuses-on-targeting-hr-and-marketing-professionals/

2023-05-30
The_Invicta_Stealer_Spreading
LOW
+

Intel Source:
Cyble
Intel Name:
The_Invicta_Stealer_Spreading
Date of Scan:
2023-05-30
Impact:
LOW
Summary:
Cyble researcher Lab team discovered a new stealer called Invicta Stealer. The developer who is in charge of this malware is heavy involved on social media platforms, utilizing them to promote their information stealer and its lethal capabilities.


Source:
https://blog.cyble.com/2023/05/25/invicta-stealer-spreading-through-phony-godaddy-refund-invoices/

2023-05-29
Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
LOW
+

Intel Source:
CADO Security
Intel Name:
Legion_Malware_Targeting_SSH_Servers_and_AWS_Credentials
Date of Scan:
2023-05-29
Impact:
LOW
Summary:
CADO security researchers have identified an updated version of the commodity malware called Legion comes with expanded features to compromise SSH servers and Amazon Web Services (AWS) credentials associated with DynamoDB and CloudWatch.


Source:
https://www.cadosecurity.com/updates-to-legion-a-cloud-credential-harvester-and-smtp-hijacker/

2023-05-29
Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
MEDIUM
+

Intel Source:
Sentinelone
Intel Name:
Hackers_Targeting_Users_of_Portuguese_Financial_Institutions
Date of Scan:
2023-05-29
Impact:
MEDIUM
Summary:
SentinelOne researchers have observed a campaign targeting users of Portuguese financial institutions conducted by a Brazilian threat group. The attackers can steal credentials and exfiltrate users’ data and personal information, which can be leveraged for malicious activities beyond financial gain.


Source:
https://www.sentinelone.com/labs/operation-magalenha-long-running-campaign-pursues-portuguese-credentials-and-pii/

2023-05-28
Phishing_Delivering_via_Encrypted_Messages
MEDIUM
+

Intel Source:
Trustwave
Intel Name:
Phishing_Delivering_via_Encrypted_Messages
Date of Scan:
2023-05-28
Impact:
MEDIUM
Summary:
Trustwave researchers have observed phishing attacks that use a combination of compromised Microsoft 365 accounts and .rpmsg encrypted emails to deliver the phishing message.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/microsoft-encrypted-restricted-permission-messages-deliver-phishing/

2023-05-27
The_Technical_Examination_of_Pikabot
LOW
+

Intel Source:
Zscaler
Intel Name:
The_Technical_Examination_of_Pikabot
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
Researchers from Zscaler have identified a new malware trojan named Pikabot which emerged in early 2023 that consists of two components a loader and a core module.


Source:
https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot

2023-05-27
Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
LOW
+

Intel Source:
Cyble
Intel Name:
Over_200_Corporate_Victims_Hit_by_New_Ransomware_Wave
Date of Scan:
2023-05-27
Impact:
LOW
Summary:
Cyble Research and Intelligence Labs (CRIL) discovered the increasing adoption of double extortion by ransomware groups is an alarming trend. We are witnessing a surge in ransomware attacks that not only encrypt valuable corporate data but also involve the threat of public exposure unless the attackers’ demands are fulfilled.


Source:
https://blog.cyble.com/2023/05/23/new-ransomware-wave-engulfs-over-200-corporate-victims/

2023-05-27
Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
MEDIUM
+

Intel Source:
Sentilone
Intel Name:
Ongoing_Kimsuky_Campaign_Utilizing_Custom_Reconnaissance_Toolkit
Date of Scan:
2023-05-27
Impact:
MEDIUM
Summary:
SentinelLabs have tracking a targeted campaign against information services, as well as organizations supporting human rights activists and defectors in relation to North Korea. The campaign focuses on file reconnaissance, and exfiltrating system and hardware information, laying the groundwork for subsequent precision attacks.


Source:
https://www.sentinelone.com/labs/kimsuky-ongoing-campaign-using-tailored-reconnaissance-toolkit/

 

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.

What's New from Threat Labs

  • Blog
    Securonix Threat Labs Security Advisory: Latest Update: Ongoing MEME#4CHAN Attack/Phishing Campaign uses Meme-Filled Code to Drop XWorm Payloads
    Learn More
  • Blog
    Securonix Threat Labs Monthly Intelligence Insights – April 2023
    Learn More
  • Blog
    Securonix Threat Labs Security Advisory: New OCX#HARVESTER Attack Campaign Leverages Modernized More_eggs Suite to Target Victims
    Learn More

Threat Labs Archives

  • Threat Research