Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2024-02-12
Examination_of_new_ShadowPad_infrastructure_new_threat_actor
LOW
+

Intel Source:
Hunt.io
Intel Name:
Examination_of_new_ShadowPad_infrastructure_new_threat_actor
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
This post will examine ShadowPad infrastructure linked to a yet-to-be-identified threat actor. What makes this activity different is a slight change in the HTTP response headers and the use of a certificate attempting to spoof American technology company, Dell. Within this group of IPs, there are additional subsets of activity utilizing different port configurations and some interesting domains, discussed later in this article.


Source:
https://hunt.io/blog/tracking-shadowpad-infrastructure-via-non-standard-certificates

2024-02-12
LuaJIT_based_modular_backdoor_LuaDream_activity_by_Sandman_APT
LOW
+

Intel Source:
SOCRadar
Intel Name:
LuaJIT_based_modular_backdoor_LuaDream_activity_by_Sandman_APT
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
SOCRadar wrote in their article that research provided by SentinelOne and QGroup, the Sandman APT group gained highly sophisticated and stealthy attack methods, with an accent focus on a new modular backdoor known as LuaDream, which is built on the LuaJIT platform. LuaDream’s strategy is targeted to minimize detection risks and showcases a continuous development approach.


Source:
https://socradar.io/dark-web-profile-sandman-apt/

2024-02-12
A_new_Ivanti_critical_Remote_Code_Execution_vulnerability_in_FortiOS
HIGH
+

Intel Source:
SOCRadar
Intel Name:
A_new_Ivanti_critical_Remote_Code_Execution_vulnerability_in_FortiOS
Date of Scan:
2024-02-12
Impact:
HIGH
Summary:
Fortinet has revealed a new critical Remote Code Execution vulnerability in FortiOS SSL VPN, cautioning about potential exploitation in ongoing attacks. Latest Ivanti Flaw Possibly Exploited (CVE-2024-21762, CVE-2023-40547, CVE-2024-22024).


Source:
https://socradar.io/rces-in-fortios-ssl-vpn-shim-latest-ivanti-flaw-possibly-exploited-cve-2024-21762-cve-2023-40547-cve-2024-22024/

2024-02-12
Increased_delivery_of_the_DarkGate_loader
LOW
+

Intel Source:
Eclecticiq
Intel Name:
Increased_delivery_of_the_DarkGate_loader
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
EclecticIQ analysts observed increased delivery of the DarkGate loader which was takedown of Qakbot infrastructure last year. EclecticIQ analysts are sure that financially motivated threat actors, including groups like TA577 and Ducktail, along with Ransomware-as-a-Service (RaaS) organizations such as BianLian and Black Basta, primarily use DarkGate. These threat actors target financial institutions in Europe and the USA, focusing mainly on double extortion tactics


Source:
https://blog.eclecticiq.com/darkgate-opening-gates-for-financially-motivated-threat-actors

2024-02-12
A_malicious_PowerShell_payload_Rabby_Wallet
LOW
+

Intel Source:
ISC.SANS
Intel Name:
A_malicious_PowerShell_payload_Rabby_Wallet
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
ISC.Sans researcher Xavier Mertens in his research, YARA rule triggered a new sample called “Rabby-Wallet.msix”, the file has a VT score of 8/58. After his analysis, the file appears to implement the same technique to execute a malicious PowerShell payload.


Source:
https://isc.sans.edu/diary/rss/30636

2024-02-12
Cyber_spies_Sticky_Werewolf_activity_in_Belarus
LOW
+

Intel Source:
Habr
Intel Name:
Cyber_spies_Sticky_Werewolf_activity_in_Belarus
Date of Scan:
2024-02-12
Impact:
LOW
Summary:
The cyberspyware APT group Sticky Werewolf probably tried to attack Belarusian companies by distributing the Ozone RAT remote access Trojan under the guise of computer cleaning and optimization software CCleaner.


Source:
https://habr.com/ru/companies/f_a_c_c_t/news/792672/

2024-02-09
Attacks_on_Critical_Infrastructure_Exploiting_FortiOS_Vulnerabilities
LOW
+

Intel Source:
Fortinet
Intel Name:
Attacks_on_Critical_Infrastructure_Exploiting_FortiOS_Vulnerabilities
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
Researchers from Fortinet alerted companies on Wednesday that attacks targeting vital infrastructure and other sectors have been made possible by APTs associated with China and other nations, which have been taking use of two known FortiOS vulnerabilities.


Source:
https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities

2024-02-09
SolarMarker_infections
LOW
+

Intel Source:
Esentire
Intel Name:
SolarMarker_infections
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
The article discusses the increasing prevalence of SolarMarker infections and the evolving tactics of the threat actor behind it. The eSentire Threat Response Unit (TRU) has been tracking SolarMarker since 2021 and has observed a significant increase in infections since November 2023. The threat actor has been using Inno Setup and PS2EXE tools to generate payloads, with recent payloads being modified using string replacements. The article also includes details on the PowerShell script used by SolarMarker, the loading of second-stage payloads, and the addition of junk instructions and byte arrays to evade detection. The TRU team recommends implementing controls such as Endpoint Detection and Response (EDR) solutions and security awareness training to protect against SolarMarker. The article also provides indicators of compromise and decrypted payloads for reference.


Source:
https://www.esentire.com/blog/the-oncoming-wave-of-solarmarker

2024-02-09
The_HijackLoader_Expands_Its_Evasion_Techniques
LOW
+

Intel Source:
Crowdstrike
Intel Name:
The_HijackLoader_Expands_Its_Evasion_Techniques
Date of Scan:
2024-02-09
Impact:
LOW
Summary:
Researchers at CrowdStrike have discovered that, as other threat actors use the loader malware known as HijackLoader more frequently to deliver more payloads and tooling, the threat actors behind it have developed new security evasion strategies.


Source:
https://www.crowdstrike.com/blog/hijackloader-expands-techniques/

2024-02-09
The_injection_of_RemcosRAT_into_the_winhlp32_exe_file_process
MEDIUM
+

Intel Source:
Esentire
Intel Name:
The_injection_of_RemcosRAT_into_the_winhlp32_exe_file_process
Date of Scan:
2024-02-09
Impact:
MEDIUM
Summary:
The article discusses a recent threat investigation conducted by eSentire’s Threat Response Unit (TRU). The investigation involved a suspicious ZIP archive containing an AnyDesk executable and a VBS file, delivered via a Discord CDN link. Further investigation revealed that the VBS file executed another VBS file hosted on paste[.]ee, which contained the DcRat malware. The DcRat malware had encrypted configuration and supported dynamic loading and execution of plugins. The final payload retrieved via the plugin was a VBS file containing the RemcosRAT malware and dynwrapx.dll. The RemcosRAT malware was injected into the winhlp32.exe process and allowed for remote control of the infected machine. The TRU team isolated the system and provided recommendations for protection against similar threats, such as user training and using Next-Gen AV or Endpoint Detection and Response tools. The section also includes indicators of compromise and references for further information.


Source:
https://www.esentire.com/blog/from-onlydcratfans-to-remcosrat

 

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.

What's New from Threat Labs

  • Blog
    Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor
    Learn More
  • Blog
    Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
    Learn More
  • Blog
    Securonix Threat Research Security Advisory: New RE#TURGENCE Attack Campaign: Turkish Hackers Target MSSQL Servers to Deliver Domain-Wide MIMIC Ransomware
    Learn More

Threat Labs Archives

  • Threat Research