
Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.
—
- Intel Source:
- McAfee
- Intel Name:
- Investigation_into_WinRAR_Vulnerability
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- McAfee researchers examined a sample that exploited the major RCE vulnerability CVE-2023-38831. It has to do with an RCE flaw in WinRAR prior to version 6.23. The problem arises because a ZIP archive could contain a harmless file (such a regular.JPG file) as well as a folder with the same name as the innocent file, and when you try to access just the harmless file, the contents of the folder (which might have executable information) are processed.
Source:
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/exploring-winrar-vulnerability-cve-2023-38831/
—
- Intel Source:
- Cyble
- Intel Name:
- Drinik_Malware_Returns_to_Threaten_Indian_Taxpayers
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- Researchers from Cyble have noticed that the Drinik malware showed increased activity levels that were timed to coincide with the deadline for filing Indian income tax returns. Drinik malware’s most recent version includes a number of recently introduced features.
Source:
https://cyble.com/blog/indian-taxpayers-face-a-multifaceted-threat-with-drinik-malwares-return/
—
- Intel Source:
- Checkpoint
- Intel Name:
- A_Banker_Server_Side_Components_Analysis
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- A recent campaign utilizing a new form of the BBTok banker and operating in Latin America was recently uncovered by Check Point researchers. In the study, we focus on recently identified infection chains that employ a special mix of Living off the Land Binaries (LOLBins).
—
- Intel Source:
- Sentilone
- Intel Name:
- Targeting_Telcos_with_a_LuaJIT_Toolkit
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- A series of cyberattacks against telecommunicator providers in the Middle East, Western Europe, and the South Asian subcontinent have been linked to a hitherto unknown threat actor known as Sandman. It is noteworthy that the incursions use the just-in-time (JIT) LuaJIT compiler to deliver the unique LuaDream implant.
Source:
https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/
—
- Intel Source:
- Bitsight
- Intel Name:
- Analysis_of_SmokeLoaders_Plugins
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- A well-known malware family with a history spanning more than ten years is called SmokeLoader. The primary function of this malware is to download and drop additional malware families. However, the owners of SmokeLoader also market plugins that give the primary module new features. These plugins give an affiliate the ability to gather a variety of information from compromised PCs, including emails, cookies, passwords, and browser data.
—
- Intel Source:
- Checkpoint
- Intel Name:
- The_Evil_Alliance_Between_GuLoader_And_Remcos
- Date of Scan:
- 2023-09-22
- Impact:
- LOW
- Summary:
- Remcos and GuLoader have a close relationship, according to Checkpoint researchers. Remcos is hard to employ for nefarious reasons because antivirus programs may quickly detect it. However, Remcos can get around antivirus defense by using GuLoader. During this investigation, they found that GuLoader is now marketed as a crypter that renders its payload completely immune to antivirus software on the same platform as Remcos and is implicitly sold under a different name.
—
- Intel Source:
- CISA
- Intel Name:
- Advisory_on_Snatch_Ransomware
- Date of Scan:
- 2023-09-21
- Impact:
- MEDIUM
- Summary:
- FBI and CISA released joint Cybersecurity Advisory about Snatch Ransomware which shared IOCs, tactics, techniques, and procedures linked with the Snatch ransomware variant. Snatch threat actors are acting as a ransomware-as-a-service (RaaS) model and change their tactics according to current cybercriminal trends and successes of other ransomware operations.
—
- Intel Source:
- PaloAlto
- Intel Name:
- Fake_WinRAR_PoC_Exploit_Drops_VenomRAT
- Date of Scan:
- 2023-09-21
- Impact:
- LOW
- Summary:
- Researchers from Palo Alto have discovered a hacker attempting to infect downloaders with the VenomRAT malware by disseminating a phony proof-of-concept (PoC) exploit for a newly patched WinRAR vulnerability on GitHub.
Source:
https://unit42.paloaltonetworks.com/fake-cve-2023-40477-poc-hides-venomrat/
—
- Intel Source:
- ASEC
- Intel Name:
- Attack_on_MS_SQL_Servers_by_HiddenGh0st_Malware
- Date of Scan:
- 2023-09-21
- Impact:
- LOW
- Summary:
- Recently, ASEC researchers verified the spread of a Gh0st RAT variant that targets poorly managed MS-SQL servers and installs the Hidden rootkit. An open-source rootkit called Hidden, which is available to everyone on GitHub, has the capacity to protect processes and hide files, registry entries, and even itself.
—
- Intel Source:
- Cado Security
- Intel Name:
- P2Pinfect_Botnet_Targeting_Redis_and_SSH_Services
- Date of Scan:
- 2023-09-21
- Impact:
- LOW
- Summary:
- According to Cado Security researchers, P2Pinfect compromises have been seen in China, the United States, Germany, the UK, Singapore, Hong Kong, and Japan. Since August 28, a new peer-to-peer botnet named P2Pinfect that targets the free source Redis and SSH services has apparently seen a remarkable 600-times rise in traffic, including a 12.3% increase over the previous week.
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
What's New from Threat Labs
-
Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld RansomwareLearn More