Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.
—
- Intel Source:
- Fortinet
- Intel Name:
- Attackers_Using_GitHub_and_AWS_to_Spread_RATs_Through_Phishing_Campaigns
- Date of Scan:
- 2024-03-13
- Impact:
- LOW
- Summary:
- A recent phishing effort is discovered, in which attackers exploit publicly accessible platforms like GitHub and Amazon web servers to store malware, which is subsequently used via email to initiate an attack campaign and take over the newly compromised systems. According to FortiGuard Labs, the email tricks recipients into opening a dangerous, high-severity Java downloader that tries to disseminate the well-known STRRAT RAT and a brand-new VCURMS remote access trojan (RAT). Every platform that has Java installed is susceptible, and it can affect any kind of business.
Source:
https://www.fortinet.com/blog/threat-research/vcurms-a-simple-and-functional-weapon
—
- Intel Source:
- G DATA
- Intel Name:
- RisePro_Stealer_Is_Aiming_at_Github_Users
- Date of Scan:
- 2024-03-13
- Impact:
- MEDIUM
- Summary:
- Researchers from G DATA Cyber Defense have found at least 13 of these repositories, which are part of a RisePro stealer campaign that the threat actors have dubbed “gitgub.” The repositories have a similar appearance and offer free cracked software in a README.md file. On Github, circles in the colors green and red are frequently used to indicate the status of automated builds. Four green Unicode circles that appear to show a status along with the current date and give the impression of validity and recentness were inserted by Gitgub threat actors to their README.md file.
Source:
https://www.gdatasoftware.com/blog/2024/03/37885-risepro-stealer-campaign-github
—
- Intel Source:
- Malwarebytes
- Intel Name:
- Multiple_Ongoing_Malvertising_Activities_Used_to_Distribute_FakeBat
- Date of Scan:
- 2024-03-13
- Impact:
- LOW
- Summary:
- FakeBat malvertising campaigns using two kinds of ad URLs. They were misusing URL/analytics shorteners, which are perfect for cloaking, as seen in past malvertising efforts. This technique gives a threat actor the ability to select a “good” or “bad” destination URL according to their own predetermined criteria (such as the IP address, user agent, and time of day).
—
- Intel Source:
- Securelist
- Intel Name:
- Malicious_Advertising_Using_Search_Engines
- Date of Scan:
- 2024-03-13
- Impact:
- LOW
- Summary:
- Researchers at Securelist have noticed a rise in the quantity of malicious operations that disseminate and distribute malware via Google Advertising. Rhadamanthys and RedLine, two distinct stealers, were misusing the search engine promotion scheme to infect victims’ computers with malicious payloads. They appear to employ the same method of imitating a website connected to popular programs like Blender 3D and Notepad++.
Source:
https://securelist.com/malvertising-through-search-engines/108996/
—
- Intel Source:
- ISC.SANS
- Intel Name:
- Decoding_Malicious_Scripts_Using_ChatGPT
- Date of Scan:
- 2024-03-13
- Impact:
- LOW
- Summary:
- Researchers from INC.SANS have discovered a malicious Python script that has a low VirusTotal score of 2/61. By the time they looked at it, it had been obfuscated. All of the intriguing strings were compressed, Base64-encoded, and hex-encoded.
—
- Intel Source:
- Reversing Labs
- Intel Name:
- Attacks_on_Crypto_Wallet_Recovery_Passwords_by_Malicious_PyPI_Packages
- Date of Scan:
- 2024-03-12
- Impact:
- LOW
- Summary:
- Researchers at ReversingLabs have discovered a brand-new harmful campaign that consists of seven distinct open-source packages on the Python Package Index (PyPI) with 19 versions, the oldest of which was released in December 2022. The campaign aims to steal mnemonic phrases that are used to recover crypto wallets that have been lost or destroyed.
—
- Intel Source:
- Splunk
- Intel Name:
- SnakeKeylogger_loader_technics_and_tactics
- Date of Scan:
- 2024-03-12
- Impact:
- MEDIUM
- Summary:
- The Splunk Threat Research Team provided in their blog deep insights and details to share with security analysts and blue teamers on how to defend and be aware of these suspicious activities and tactics.
—
- Intel Source:
- ASEC
- Intel Name:
- Infostealer_Posing_as_Installer_For_Adobe_Reader
- Date of Scan:
- 2024-03-12
- Impact:
- LOW
- Summary:
- Researchers from ASEC have found that an infostealer that poses as the installation for Adobe Reader is being distributed. The file is being distributed by the threat actor in PDF format, requesting that people download and execute it.
—
- Intel Source:
- SOC Radar
- Intel Name:
- A_Dark_Web_Profile_of_Meow_Ransomware
- Date of Scan:
- 2024-03-12
- Impact:
- LOW
- Summary:
- Four ransomware strains that are descended from Conti’s ransomware strain that was leaked were found in late 2022. The Meow ransomware was one of them. This crypto-ransomware was detected operating between the end of August and the first part of September 2022, and it continued to do so until February 2023. They stopped operating in March 2023 after a free decryptor for the Meow ransomware was made available. There is still an active organization called Meow that entered 2024 rather quickly and has already claimed nine victims. It appears that this gang uses the RaaS paradigm; yet, in March 2024 alone, three victims were reported, and the institutions they target are not insignificant ones.
Source:
https://socradar.io/dark-web-profile-meow-ransomware/
—
- Intel Source:
- Symantec
- Intel Name:
- Operators_Adapt_to_Disruption_as_Ransomware_Attacks_Rise
- Date of Scan:
- 2024-03-12
- Impact:
- LOW
- Summary:
- Even though the number of attacks that ransomware operators claim to have carried out dropped by little more than 20% in the fourth quarter of 2023, ransomware activity is still on the rise. Attackers have continuously improved their strategies, shown that they can react quickly to disruptions, and discovered new means of infecting victims.
Source:
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-attacks-exploits
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
What's New from Threat Labs
-
Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell BackdoorLearn More
-
Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPNLearn More
-
Securonix Threat Research Security Advisory: New RE#TURGENCE Attack Campaign: Turkish Hackers Target MSSQL Servers to Deliver Domain-Wide MIMIC RansomwareLearn More