Powered by Threat Labs

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

2024-03-28
A_New_Info_Stealer_Named_Sync_Scheduler
LOW
+

Intel Source:
CYFIRMA Research
Intel Name:
A_New_Info_Stealer_Named_Sync_Scheduler
Date of Scan:
2024-03-28
Impact:
LOW
Summary:
Cyfirma researchers have found Sync-Scheduler, an information-stealing malware that targets documents in particular and has anti-analysis built in. The research details the procedures used to create malware payloads and investigates the evasion strategies used by threat actors to avoid detection through in-depth examination.


Source:
https://www.linkedin.com/posts/cyfirma-research-6a8073245_sync-scheduler-stealer-activity-7178734723601485824-gOFs?utm_source=li_share&utm_content=feedcontent&utm_medium=g_dt_web&utm_campaign=copy

2024-03-28
Exploitation_of_Fortinet_Vulnerability_CVE_2023_48788
MEDIUM
+

Intel Source:
Esentire
Intel Name:
Exploitation_of_Fortinet_Vulnerability_CVE_2023_48788
Date of Scan:
2024-03-28
Impact:
MEDIUM
Summary:
This month, eSentire has tracked a spike in the exploitation of CVE-2023-48788 (CVSS: 9.8). CVE-2023-48788 is a SQL injection flaw in FortiClientEMS software. Exploitation would allow an unauthenticated remote threat actor to execute code or commands through specially crafted requests, enabling initial organizational access.


Source:
https://www.esentire.com/security-advisories/widespread-exploitation-of-fortinet-vulnerability-cve-2023-48788

2024-03-28
An_interesting_piece_of_JavaScript
LOW
+

Intel Source:
ISC.SANS
Intel Name:
An_interesting_piece_of_JavaScript
Date of Scan:
2024-03-28
Impact:
LOW
Summary:
Senior ISC Handler Xavier Mertens recently found an interesting piece of JavaScript payload and provided analysis. This payload was downloaded from hxxp://gklmeliificagac[.]top/vc7etyp5lhhtr.php?id=win10vm&key=127807548032&s=mints1. Once you fetched the page, it won’t work and will redirect you to another side. And Finally, another payload is delivered.


Source:
https://isc.sans.edu/diary/rss/30788

2024-03-28
Cyber_Espionage_Campaign_Targeting_Indian_Government_Entities_and_Energy_Sector
MEDIUM
+

Intel Source:
EclecticIQ
Intel Name:
Cyber_Espionage_Campaign_Targeting_Indian_Government_Entities_and_Energy_Sector
Date of Scan:
2024-03-28
Impact:
MEDIUM
Summary:
Researchers at EclecticIQ have discovered a new espionage effort that uses a customized version of HackBrowserData, an open-source information stealer that can gather cookies, history, and browser login credentials, to target Indian government entities and the nation’s energy sector.


Source:
https://blog.eclecticiq.com/operation-flightnight-indian-government-entities-and-energy-sector-targeted-by-cyber-espionage-campaign

2024-03-28
PyPi_Suspends_Project_Creation_and_User_Registration_Amid_Security_Threat
LOW
+

Intel Source:
Checkmarx
Intel Name:
PyPi_Suspends_Project_Creation_and_User_Registration_Amid_Security_Threat
Date of Scan:
2024-03-28
Impact:
LOW
Summary:
Checkmarx researchers uncovered a campaign leveraging numerous malicious packages, employing Typosquatting attacks through CLI for Python package installations. The attackers aim to pilfer crypto wallets, browser data, and credentials, employing persistence mechanisms for survival across reboots.


Source:
https://checkmarx.com/blog/pypi-is-under-attack-project-creation-and-user-registration-suspended/

2024-03-28
AgentTesla_Expands_Its_Footprint_in_Italy
MEDIUM
+

Intel Source:
CERT-AGID
Intel Name:
AgentTesla_Expands_Its_Footprint_in_Italy
Date of Scan:
2024-03-28
Impact:
MEDIUM
Summary:
Operators of AgentTesla have recently stepped up their malspam efforts in Italy, supporting the upward trend in PDF attachment usage that has been noted in recent months. These documents have links that, when clicked, cause files containing malicious JavaScript code to be downloaded.


Source:
https://cert-agid.gov.it/news/agenttesla-intensifica-la-sua-presenza-in-italia-il-ruolo-cruciale-degli-allegati-pdf/

2024-03-28
A_recent_leak_of_a_Solana_drainer_source_code
LOW
+

Intel Source:
Cyble
Intel Name:
A_recent_leak_of_a_Solana_drainer_source_code
Date of Scan:
2024-03-28
Impact:
LOW
Summary:
Cyble Research and Intelligence Labs (CRIL) found multiple drainer source codes leaked on cybercrime forums, including a recent leak of a Solana drainer’s source code.


Source:
https://cyble.com/blog/solana-drainers-source-code-saga-tracing-its-lineage-to-the-developers-of-ms-drainer/

2024-03-28
DinodasRAT_Linux_backdoor
MEDIUM
+

Intel Source:
Securelist
Intel Name:
DinodasRAT_Linux_backdoor
Date of Scan:
2024-03-28
Impact:
MEDIUM
Summary:
DinodasRAT, also known as XDealer, is a multi-platform backdoor written in C++ that offers a range of capabilities. This RAT allows the malicious actor to surveil and harvest sensitive data from a target’s computer. A Windows version of this RAT was used in attacks against government entities in Guyana.


Source:
https://securelist.com/dinodasrat-linux-implant/112284/

2024-03-28
Malicious_Google_Ad_Leads_To_Matanbuchus_Infection_With_DanaBot
LOW
+

Intel Source:
PaloAlto
Intel Name:
Malicious_Google_Ad_Leads_To_Matanbuchus_Infection_With_DanaBot
Date of Scan:
2024-03-28
Impact:
LOW
Summary:
Researchers at PaloAlto have discovered that a Google advertisement leads users to a fake funds claim website, which spreads the Danabot Matanbuchus.


Source:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-03-26-IOCs-for-Matanbuchus-infection-with-Danabot.txt

2024-03-28
After_FBI_Seizure_WarzoneRAT_Returns_With_Multi_Stage_Attack
MEDIUM
+

Intel Source:
Cyble
Intel Name:
After_FBI_Seizure_WarzoneRAT_Returns_With_Multi_Stage_Attack
Date of Scan:
2024-03-28
Impact:
MEDIUM
Summary:
Researchers at Cyble have noticed a campaign with a tax theme that may have spread via spam emails. Investigations revealed that the campaign disseminated the malware WarzoneRAT (Avemaria). The malware known as AveMaria is a Remote Administration Tool (RAT) that possesses the ability to take commands from a Command and Control (C&C) server and carry out a range of malevolent activities.


Source:
https://cyble.com/blog/warzonerat-returns-with-multi-stage-attack-post-fbi-seizure/

 

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Why Security Content Matters

Learn how Securonix is paving the way to make precise, and actionable security content a reality for our customers.

What's New from Threat Labs

  • Blog
    Securonix Threat Research Security Advisory: Analysis of New DEEP#GOSU Attack Campaign Likely Associated with North Korean Kimsuky Targeting Victims with Stealthy Malware
    Learn More
  • Blog
    Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor
    Learn More
  • Blog
    Securonix Threat Research Security Advisory: Technical Analysis and Detection of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
    Learn More

Threat Labs Archives

  • Threat Research