Autonomous Threat Sweeper
Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.
Latest ATS Entries
All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.
—
- Intel Source:
- CYFIRMA Research
- Intel Name:
- A_New_Info_Stealer_Named_Sync_Scheduler
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Cyfirma researchers have found Sync-Scheduler, an information-stealing malware that targets documents in particular and has anti-analysis built in. The research details the procedures used to create malware payloads and investigates the evasion strategies used by threat actors to avoid detection through in-depth examination.
—
- Intel Source:
- Esentire
- Intel Name:
- Exploitation_of_Fortinet_Vulnerability_CVE_2023_48788
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- This month, eSentire has tracked a spike in the exploitation of CVE-2023-48788 (CVSS: 9.8). CVE-2023-48788 is a SQL injection flaw in FortiClientEMS software. Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial organizational access.
—
- Intel Source:
- ISC.SANS
- Intel Name:
- An_interesting_piece_of_JavaScript
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Senior ISC Handler Xavier Mertens recently found an interesting piece of JavaScript payload and provided analysis. This payload was downloaded from hxxp://gklmeliificagac[.]top/vc7etyp5lhhtr.php?id=win10vm&key=127807548032&s=mints1. Once you fetched the page, it won’t work and will redirect you to another side. And Finally, another payload is delivered.
—
- Intel Source:
- EclecticIQ
- Intel Name:
- Cyber_Espionage_Campaign_Targeting_Indian_Government_Entities_and_Energy_Sector
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at EclecticIQ have discovered a new espionage effort that uses a customized version of HackBrowserData, an open-source information stealer that can gather cookies, history, and browser login credentials, to target Indian government entities and the nation’s energy sector.
—
- Intel Source:
- Checkmarx
- Intel Name:
- PyPi_Suspends_Project_Creation_and_User_Registration_Amid_Security_Threat
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Checkmarx researchers uncovered a campaign leveraging numerous malicious packages, employing Typosquatting attacks through CLI for Python package installations. The attackers aim to pilfer crypto wallets, browser data, and credentials, employing persistence mechanisms for survival across reboots.
Source:
https://checkmarx.com/blog/pypi-is-under-attack-project-creation-and-user-registration-suspended/
—
- Intel Source:
- CERT-AGID
- Intel Name:
- AgentTesla_Expands_Its_Footprint_in_Italy
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- Operators of AgentTesla have recently stepped up their malspam efforts in Italy, supporting the upward trend in PDF attachment usage that has been noted in recent months. These documents have links that, when clicked, cause files containing malicious JavaScript code to be downloaded.
—
- Intel Source:
- Cyble
- Intel Name:
- A_recent_leak_of_a_Solana_drainer_source_code
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Cyble Research and Intelligence Labs (CRIL) found multiple drainer source codes leaked on cybercrime forums, including a recent leak of a Solana drainer’s source code.
—
- Intel Source:
- Securelist
- Intel Name:
- DinodasRAT_Linux_backdoor
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- DinodasRAT, also known as XDealer, is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target’s computer. A Windows version of this RAT was used in attacks against government entities in Guyana.
Source:
https://securelist.com/dinodasrat-linux-implant/112284/
—
- Intel Source:
- PaloAlto
- Intel Name:
- Malicious_Google_Ad_Leads_To_Matanbuchus_Infection_With_DanaBot
- Date of Scan:
- 2024-03-28
- Impact:
- LOW
- Summary:
- Researchers at PaloAlto have discovered that a Google advertisement leads users to a fake funds claim website, which spreads the Danabot Matanbuchus.
—
- Intel Source:
- Cyble
- Intel Name:
- After_FBI_Seizure_WarzoneRAT_Returns_With_Multi_Stage_Attack
- Date of Scan:
- 2024-03-28
- Impact:
- MEDIUM
- Summary:
- Researchers at Cyble have noticed a campaign with a tax theme that may have spread via spam emails. Investigations revealed that the campaign disseminated the malware WarzoneRAT (Avemaria). The malware known as AveMaria is a Remote Administration Tool (RAT) that possesses the ability to take commands from a Command and Control (C&C) server and carry out a range of malevolent activities.
Source:
https://cyble.com/blog/warzonerat-returns-with-multi-stage-attack-post-fbi-seizure/
Shared Security Content on Sigma
Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.
What's New from Threat Labs
-
Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy MalwareLearn More
-
Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell BackdoorLearn More
-
Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPNLearn More