Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: McAfee

Intel Name:: Dark_Gate_Malware

Date of Scan:: 2024-04-30

Impact:: MEDIUM

Summary:: McAfee Labs has discovered a novel infection chain associated with DarkGate malware. This chain initiates with an HTML-based entry point and advances to exploit the AutoHotkey utility in subsequent stages. DarkGate, identified as a Remote Access Trojan (RAT) and offered as Malware-as-a-Service (MaaS) on a Russian-language cybercrime forum since 2018, harbors a range of malicious functionalities including process injection, file download, and keylogging capabilities. Over the past three months, DarkGate's spread has been observed.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-darkgate-menace-leveraging-autohotkey-attempt-to-evade-smartscreen/

Intel Source:: The DFIR Report

Intel Name:: IcedID_Malware_distributing_through_Phishing_Campaign

Date of Scan:: 2024-04-30

Impact:: MEDIUM

Summary:: Researchers from DFIR leveraged the IcedID malware distributed through a fraudulent Azure download portal, followed by the deployment of a Cobalt Strike beacon. The threat actor established persistence, conducted extensive discovery activities, and initiated lateral movement within the network. They targeted file shares, escalated privileges, and exfiltrated data to AWS S3 buckets. The actor expanded their foothold, explored virtualization infrastructure, and accessed critical administrative utilities. Ultimately, they deployed ransomware across the domain, resulting in significant disruption after a prolonged 684-hour operation.

Source: https://thedfirreport.com/2024/04/29/from-icedid-to-dagon-locker-ransomware-in-29-days/

Intel Source:: sophos

Intel Name:: Malware_Campaign_Attempts_Abuse_of_Defender_Binaries

Date of Scan:: 2024-04-29

Impact:: LOW

Summary:: Researchers at Sophos have examined a ransomware campaign that modifies the original content of legitimate Sophos executables and DLLs, replaces the entry-point code, and inserts the decrypted payload as a resource.

Source: https://news.sophos.com/en-us/2024/04/26/malware-campaign-abuses-legit-defender-binaries/

Intel Source:: Securonix Threat Labs

Intel Name:: A_New_Ongoing_Attack_Campaign_DEV_POPPER

Date of Scan:: 2024-04-29

Impact:: MEDIUM

Summary:: Securonix researchers have identified the new social engineering attack campaign where attacker luring the software developer through fake interviews to deliver a Python based RAT. Securonix has named this campaign DEV#POPPER. This campaign is likely associated with North Korean threat actor.

Source: https://www.securonix.com/blog/analysis-of-devpopper-new-attack-campaign-targeting-software-developers-likely-associated-with-north-korean-threat-actors/

Intel Source:: CERT- AGID

Intel Name:: Anomalies_Following_Disassembly_of_LockBit_Ransomware

Date of Scan:: 2024-04-29

Impact:: HIGH

Summary:: During Operation Cronos in February, an international coalition of law enforcement groups, headed by the National Crime Agency (NCA), took down the LockBit ransomware's activities and infrastructure. The NoMoreRansom project portal offers tools to recover files encrypted by the LockBit ransomware. But it's interesting to note that various European nations, including Italy, have been the target of a large operation to distribute the LockBit 3.0 (LockBit Black) ransomware for the past two days. The email is sent randomly to both public and private entities, with the subject line "documents." It is written in English. An executable for SCR is contained in a ZIP file that is attached to the email.

Source: https://cert-agid.gov.it/news/ransomware-lockbit-anomalie-dopo-lo-smantellamento/

Intel Source:: Deep Instinct

Intel Name:: Uncorking_Old_Wine

Date of Scan:: 2024-04-29

Impact:: LOW

Summary:: Deep Instinct researchers have unearthed a sophisticated cyber operation targeting Ukraine, leveraging CVE-2017-8570 and a custom loader for Cobalt Strike Beacon. The attack employs a blend of evasion techniques, including obfuscation, anti-analysis methods, and disguised domain names. Despite its complexity, researchers' proactive detection capabilities thwarted the attack on day zero, emphasizing the importance of robust cybersecurity measures.

Source: https://www.deepinstinct.com/blog/uncorking-old-wine-zero-day-cobalt-strike-loader

Intel Source:: Esentire

Intel Name:: A_new_malware_FakeBat_Distributing_Through_Fake_Browser_Updates

Date of Scan:: 2024-04-29

Impact:: LOW

Summary:: Researchers at eSentire’s Threat Response Unit have observed new malware campaign named FakeBat loader which is being delivered through hacked websites. These websites have malicious JavaScript that generates fake browser update notifications and these notifications misleading users into believing they need to install real browser updates.

Source: https://www.esentire.com/blog/fakebat-malware-distributing-via-fake-browser-updates

Intel Source:: Veriti

Intel Name:: Agent_Tesla_Targeting_US_Education_and_Govt_Entities

Date of Scan:: 2024-04-29

Impact:: MEDIUM

Summary:: Researchers at Veriti have noticed that a fresh wave of cyberattacks is focusing on sensitive data held by the US government and educational institutions. Agent Tesla and Taskun are two malware variants that are combined in this campaign. Taskun is the ideal accomplice to Agent Tesla's malicious activities. It functions by undermining the integrity of a system, opening a backdoor that allows Agent Tesla to enter and become persistent. This allows Agent Tesla's hold on the system and maximizes data theft by enabling it to remain undetected for protracted periods of time.

Source: https://veriti.ai/blog/veriti-research/agent-tesla-campaign-targets-us-education-and-government-sectors/

Intel Source:: Fortinet

Intel Name:: Unveiling_The_Tactics_and_Techniques_of_KageNoHitobito_and_DoNex_Ransomware

Date of Scan:: 2024-04-29

Impact:: MEDIUM

Summary:: Researchers from Fortinet have identified the two variant of Ransomware KageNoHitobito and DoNex. KageNoHitobito encrypts files on a machine and asks for money to decrypt them. It uses TOR browser for communicating to victims. It only encrypts files on the computer, not on other connected devices. The encrypted files have a "hitobito" extension. Furthermore, DoNex also encrypts files, but it does it on both the local machine and connected devices. It alters file extensions by appending a victim ID and changes their icons after encryption.

Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-keganohitobito-and-donex

Intel Source:: Morphisec

Intel Name:: New_Variant_of_IDAT_Loader

Date of Scan:: 2024-04-26

Impact:: LOW

Summary:: Researchers at Morphisec have identified a new variant of IDAT loader, which is utilized to distribute various malware payloads depending on the attacker's analysis of the targeted system. IDAT incorporates distinctive functionalities such as code injection and execution modules, distinguishing it from traditional loaders.

Source: https://blog.morphisec.com/threat-bulletin-new-variant-idat-variant

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page