Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: VMRAY

Intel Name:: Emergence_of_Latrodectus

Date of Scan:: 2024-10-22

Impact:: LOW

Summary:: Latrodectus, a new malware first discovered in October 2023, functions primarily as a loader/downloader and has emerged as a successor to the notorious IcedID loader, which was dismantled in May 2024 through an international operation led by Europol. Following this crackdown, Latrodectus has rapidly evolved, with its developers releasing multiple new versions featuring minor changes and even removing existing functionalities. This iterative development aims to stay ahead in the ongoing battle between cybersecurity defenders and threat actors.

Source: https://www.vmray.com/latrodectus-a-year-in-the-making/

Intel Source:: Netskope

Intel Name:: Bumblebee_Malware_Returns

Date of Scan:: 2024-10-22

Impact:: MEDIUM

Summary:: Bumblebee is sophisticated malware used by cybercriminals to infiltrate corporate networks and deploy additional payloads like Cobalt Strike beacons and ransomware. Discovered by the Google Threat Analysis Group in March 2022, it recently resurfaced in a new infection chain identified by Netskope Threat Labs. This campaign marks the first instance of Bumblebee activity since Europol's Operation Endgame in May 2024, which targeted major botnets. The infection typically begins with a phishing email prompting the victim to download a ZIP file containing an LNK file, which, when executed, triggers the Bumblebee payload download directly into memory, bypassing disk storage.

Source: https://www.netskope.com/blog/new-bumblebee-loader-infection-chain-signals-possible-resurgence

Intel Source:: DoublePulsar

Intel Name:: ESET_Impersonated_in_Phishing_Attack_on_Israel

Date of Scan:: 2024-10-22

Impact:: LOW

Summary:: Hackers have been impersonating ESET's cybersecurity firm in a phishing campaign targeting Israeli organizations. They sent malicious emails warning recipients about state-backed hackers and offering a fake ESET Unleashed program to combat the threat. Clicking the link led to a ZIP file containing wiper malware designed to erase data from infected devices. Security researchers have highlighted that the attackers had breached ESET’s defenses, with the malware hosted on their servers. Although Google flagged the emails as dangerous, many users fell for the ruse. ESET has denied any direct compromise, attributing the incident to partner involvement.

Source: https://doublepulsar.com/eiw-eset-israel-wiper-used-in-active-attacks-targeting-israeli-orgs-b1210aed7021

Intel Source:: Forcepoint

Intel Name:: Analysis_of_Latrodectus_Malware_Campaign

Date of Scan:: 2024-10-21

Impact:: MEDIUM

Summary:: Researchers at Forcepoint have analyzed the Latrodectus campaign activities, highlighting its use of phishing emails and IcedID infrastructure to target the financial, automotive, and healthcare sectors. The campaign primarily involves compromising email accounts to spread malicious attachments, such as HTML and PDF files, designed for stealth and persistence. This makes detection and eradication challenging. Attackers typically initiate the campaign by sending emails that appear to contain important DocuSign documents, tricking users into clicking a link that redirects them to a malicious URL, and downloading harmful payloads.

Source: https://www.forcepoint.com/blog/x-labs/inside-latrodectus-malware-phishing-campaign

Intel Source:: Trend Micro

Intel Name:: Docker_Remote_API_Servers_With_Perfctl_Malware

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Researchers from Trend Micro have discovered the exploitation of vulnerable Docker Remote API servers to deploy the malware called perfctl that includes scanning for open servers and executing malicious code. The attack starts with the creating of a Docker container with specific configurations and running a payload which enables the attacker to create a malicious script, set environment variables and downloads a malicious PHP file. The attackers also employ techniques like checking for similar processes, creating directories and using a custom function to download files.

Source: https://www.trendmicro.com/en_us/research/24/j/attackers-target-exposed-docker-remote-api-servers-with-perfctl-.html

Intel Source:: Securelist

Intel Name:: Kral_and_Vidar_Stealers_on_the_Rise

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Researchers from Securelist have discovered a substantial rise in the spread of information stealers, which are used by cybercriminals to collect credentials for sale on the dark web or to launch more attacks. These threats affected over ten million devices in 2023. Among the significant results, the Kral stealer, which is tied to the Kral downloader, targets cryptocurrency wallets and browser data, as AMOS targets macOS users. Vidar, which has spread through YouTube comments, raises extra concerns.

Source: https://securelist.com/kral-amos-vidar-acr-stealers/114237/

Intel Source:: Phylum

Intel Name:: Trojanized_npm_Packages_Stealing_ETH_Keys

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Researchers at Phylum have discovered a complicated attack combining trojanized Ethereum-related packages on npm, which was designed to steal private keys and acquire unauthorized SSH access. These packages hide malware behind multiple layers of indirection, taking advantage of the modularity of the genuine ethers library. The attack extracts Ethereum keys via a series of files while also altering the SSH authorized_keys file to add the attacker's public key.

Source: https://blog.phylum.io/trojanized-ethers-forks-on-npm-attempting-to-steal-ethereum-private-keys/

Intel Source:: QiAnXin

Intel Name:: Mysterious_Elephant_Group_Targeting_South_Asia

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Qianxin researchers have analyzed the activities of the Mysterious Elephant organization, a South Asian APT group identified by Kaspersky in 2023. It highlights their use of a new backdoor named ORPCBackdoor, originally attributed to the Bitter organization. This attribution confusion stems from similarities in attack methods and shared infrastructure. Recent discoveries include CHM files disguised as PDFs containing C# backdoors, targeting entities in Pakistan and other South Asian countries.

Source: https://mp.weixin.qq.com/s?__biz=MzI2MDc2MDA4OA==&mid=2247512794&idx=1&sn=f41a6a721180828aead94ba761b628bb&chksm=ea6645addd11ccbb0bcc218364f0b2f3e69d66f5df9c96a4b8b9804700b05b6423d89376cb98&scene=178&cur_album_id=1539799351089283075

Intel Source:: Elastic Labs

Intel Name:: GHOSTPULSE_Malware

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Elastic labs researchers have identified a malware called GHOSTPULSE also known as HIJACKLOADER or IDATLOADER first discovered in 2023. This malware is capable of hiding its configuration and payload within the pixels of the image itself and extract the information from the colours in the image. In recent GHOSTPULSE campaigns where attackers trick victims by presenting a fake CAPTCHA validation on a website that instruct the user to perform specific Windows keyboard shortcuts which leads to the execution of malicious commands such as a PowerShell script that downloads and runs the GHOSTPULSE payload.

Source: https://www.elastic.co/security-labs/tricks-and-treats

Intel Source:: qualys

Intel Name:: Lumma_Stealer_Targets_Data_with_CAPTCHA

Date of Scan:: 2024-10-21

Impact:: LOW

Summary:: Researchers from Qualys have found a fraudulent Lumma Stealer campaign that uses bogus CAPTCHA verification to deploy malware. Lumma Stealer, an information-stealing malware available through Malware-as-a-Service (MaaS), collects sensitive data such as passwords, browser credentials, and cryptocurrency wallet information.

Source: https://blog.qualys.com/vulnerabilities-threat-research/2024/10/20/unmasking-lumma-stealer-analyzing-deceptive-tactics-with-fake-captcha

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page