Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2024-03-27
Enhance_Cyberespionage_Activities_Against_ASEAN_Nations_by_Two_Chinese_APT_Groups
MEDIUM
+

Intel Source:
PaloAlto
Intel Name:
Enhance_Cyberespionage_Activities_Against_ASEAN_Nations_by_Two_Chinese_APT_Groups
Date of Scan:
2024-03-27
Impact:
MEDIUM
Summary:
Researchers from Unit 42 have discovered two Chinese advanced persistent threat (APT) groups that are involved in cyberespionage against members and organizations connected to the Association of Southeast Asian Nations (ASEAN). Stately Taurus, the first APT organization, is believed to have targeted entities in Myanmar, the Philippines, Japan, and Singapore with two malware packages. An ASEAN-affiliated entity was infiltrated by the second Chinese APT outfit. In recent months, this APT group has attacked a number of government institutions in Southeast Asia, including those in Singapore, Laos, and Cambodia.


Source:
https://unit42.paloaltonetworks.com/chinese-apts-target-asean-entities/

2024-03-27
Introducing_The_Most_Recent_Version_of_WhiteSnake_Stealer
LOW
+

Intel Source:
SonicWall
Intel Name:
Introducing_The_Most_Recent_Version_of_WhiteSnake_Stealer
Date of Scan:
2024-03-27
Impact:
LOW
Summary:
Researchers at SonicWall have discovered a new WhiteSnake Stealer version that makes it possible to steal vital, private information from infected systems.The string decryption code has been eliminated in this updated version, which also makes the code easier to understand.


Source:
https://blog.sonicwall.com/en-us/2024/03/whitesnake-stealer-unveiling-the-latest-version-less-obfuscated-more-dangerous/

2024-03-27
Cyberattacks_Risk_Thousands_of_Businesses_Using_Ray_Framework
LOW
+

Intel Source:
Oligo Security
Intel Name:
Cyberattacks_Risk_Thousands_of_Businesses_Using_Ray_Framework
Date of Scan:
2024-03-27
Impact:
LOW
Summary:
Researchers at Oligo have recently uncovered an ongoing campaign of attacks aimed at a flaw in the popular open-source AI framework Ray. There is no patch for a significant vulnerability that exposes thousands of businesses and servers using AI infrastructure to attack. Due to this flaw, hackers can commandeer the processing power of the organizations and reveal confidential information. For the past seven months, this vulnerability has been actively exploited, impacting a variety of industries including biopharma, education, and cryptocurrencies.


Source:
https://www.oligo.security/blog/shadowray-attack-ai-workloads-actively-exploited-in-the-wild

2024-03-27
The_Shadowy_Side_Of_TheMoon_Malware
LOW
+

Intel Source:
Lumen
Intel Name:
The_Shadowy_Side_Of_TheMoon_Malware
Date of Scan:
2024-03-27
Impact:
LOW
Summary:
Researchers at Lumen have discovered a multi-year campaign that targeting Internet of Things (IoT) devices and routers that are nearing end of life (EoL). This campaign is linked to an upgraded version of the malware known as “TheMoon.” Since its inception in 2014, TheMoon has been running in the background, amassing almost 40,000 bots from 88 countries in January and February of 2024. As researchers have observed, most of these bots serve as the backbone of Faceless, a well-known proxy service targeted at cybercriminals.


Source:
https://blog.lumen.com/the-darkside-of-themoon/?utm_source=rss&utm_medium=rss&utm_campaign=the-darkside-of-themoon

2024-03-27
FormBook_Malware
MEDIUM
+

Intel Source:
Rewterz
Intel Name:
FormBook_Malware
Date of Scan:
2024-03-27
Impact:
MEDIUM
Summary:
FormBook, an information stealer (infostealer) malware discovered in 2016, has various capabilities such as tracking keystrokes, accessing files, capturing screenshots, and stealing passwords from web browsers. It can execute additional malware as directed by a command-and-control server and is adept at evading detection through techniques like code obfuscation and encryption. FormBook’s flexibility allows customization for specific targets and its obfuscation methods make removal challenging. Cybercriminals distribute FormBook through email attachments like PDFs and Office Documents, with notable use during the 2022 Russia-Ukraine conflict. FormBook’s successor, XLoader, is currently active.


Source:
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-formbook-malware-active-iocs-98

2024-03-27
Increase_in_activity_linked_to_Mispadu_banking_trojan
LOW
+

Intel Source:
Morphisec
Intel Name:
Increase_in_activity_linked_to_Mispadu_banking_trojan
Date of Scan:
2024-03-27
Impact:
LOW
Summary:
Morphisec Labs identified a significant increase in activity linked to Mispadu, a banking trojan first flagged in 2019. Initially concentrated on LATAM countries and Spanish-speaking individuals, Mispadu has broadened its scope in the latest campaign.


Source:
https://blog.morphisec.com/mispadu-infiltration-beyond-latam

2024-03-27
A_Robust_Cyberthreat_to_Brazil_Monetary_Security_CHAVECLOAK
LOW
+

Intel Source:
SOC Radar
Intel Name:
A_Robust_Cyberthreat_to_Brazil_Monetary_Security_CHAVECLOAK
Date of Scan:
2024-03-27
Impact:
LOW
Summary:
CHAVECLOAK, a banking trojan that has become a serious threat, is a strong cyber threat threatening the Brazilian financial system. This sophisticated malware is made to get past security measures and steal confidential financial data from unsuspecting users.


Source:
https://socradar.io/chavecloak-cyber-threat-to-brazils-financial-security/

2024-03-27
The_Effects_of_the_Anydesk_Breach
LOW
+

Intel Source:
Cybereason
Intel Name:
The_Effects_of_the_Anydesk_Breach
Date of Scan:
2024-03-27
Impact:
LOW
Summary:
Researchers at Cybereason have looked at cases of AnyDesk code signing certificates being misused. On February 2, 2024, AnyDesk, a prominent global supplier of Remote Management and Monitoring (RMM) software, made a public announcement announcing that they had discovered a compromise involving production systems. As a result, they started an incident response process and, as part of their remediation activities, they issued fresh certificates and revoked all of their security-related ones.


Source:
https://www.cybereason.com/blog/threat-alert-the-anydesk-breach-aftermath

2024-03-26
The_rise_of_Agent_Tesla
MEDIUM
+

Intel Source:
Trustwave
Intel Name:
The_rise_of_Agent_Tesla
Date of Scan:
2024-03-26
Impact:
MEDIUM
Summary:
SpiderLabs discovered some phishing email on March 8, 2024, with a Windows executable disguised as a fraudulent bank payment attached to the email. This activity initiated an infection chain culminating in the deployment of Agent Tesla. Trustwave blog shared their deep analysis of a newly identified loader, showing the attack’s advanced tactics, techniques, and procedures (TTPs) used in both the loader and its command and control (C2) framework.


Source:
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/agent-teslas-new-ride-the-rise-of-a-novel-loader/

2024-03-26
Phishing_Attack_Designed_to_Steal_Security_Information_And_Credentials
LOW
+

Intel Source:
CERT-AGID
Intel Name:
Phishing_Attack_Designed_to_Steal_Security_Information_And_Credentials
Date of Scan:
2024-03-26
Impact:
LOW
Summary:
Researchers from CERT-AGID have discovered a phishing page that targeting users of the Revenue Agency’s Siatel v2.0 – PuntoFisico of the Revenue Agency. It has been live online from the early afternoon of March 21, 2024. Once the victims have been tricked into entering their password and tax code as part of their access credentials, the attackers ask them to upload or complete a photo of the Security Matrix that corresponds with the given credentials. Access to Punto Fisico, Report Register, and Punto Fisico User Management are all dependent on the latter.


Source:
https://cert-agid.gov.it/news/agenzia-delle-entrate-punto-fisico-campagna-di-phishing-mirata-al-furto-di-credenziali-e-matrici-di-sicurezza/

 

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.

What's New from Threat Labs

  • Blog
    Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware
    Learn More
  • Blog
    Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor
    Learn More
  • Blog
    Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
    Learn More

Threat Labs Archives

  • Threat Research