Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: CERT.PL

Intel Name:: APT_28_Targeting_against_Polish_govt_instituitons

Date of Scan:: 2024-05-09

Impact:: MEDIUM

Summary:: CERT Polska has observed a malicious e-mail campaign conducted by the APT28 group against Polish government institutions. This group is associated with General Staff of the Armed Forces of the Russian Federation (GRU). In this campaign attacker sent an email with a message about finding information on a woman from Ukraine who's in Poland, running a strange business. The email had a link that led to a fake website where a ZIP file was downloaded. Inside the ZIP file were three files: a fake photo file that was a program, a hidden batch file, and a fake Windows library file.

Source: https://cert.pl/en/posts/2024/05/apt28-kampania/

Intel Source:: CERT-AGID

Intel Name:: Phishing_Scam_Exploiting_Italian_Government_Name_and_Tax_Refund_Promise

Date of Scan:: 2024-05-09

Impact:: MEDIUM

Summary:: CERT-AGID researchers have identified a concerning phishing campaign targeting Italian citizens, which falsely promises tax refunds while exploiting the name and logos of the Presidency of the Council of Ministers. The phishing emails claim recipients are entitled to a refund of €268.30 and create a sense of urgency by stating the offer expires within five working days. Recipients are directed to click a link that redirects them to a fraudulent page, aiming to trick them into providing their banking credentials.

Source: https://cert-agid.gov.it/news/phishing/phishing-multibanking-sfrutta-nome-e-loghi-della-presidenza-del-consiglio-dei-ministri/

Intel Source:: Juniper

Intel Name:: The_observed_instances_of_Mirai_botnet_delivery_in_the_wild

Date of Scan:: 2024-05-08

Impact:: HIGH

Summary:: Juniper researchers observed the exploitation attempts targeting an Ivanti Pulse Secure authentication bypass with remote code execution vulnerabilities. Also, they discovered instances of Mirai botnet delivery in the wild, using this exploit with remote code execution capabilities. This exploit facilitates malware delivery, posing a significant threat to compromise entire networks.

Source: https://blogs.juniper.net/en-us/security/protecting-your-network-from-opportunistic-ivanti-pulse-secure-vulnerability-exploitation

Intel Source:: ASEC

Intel Name:: CHM_Malware_Targeting_Users_in_Korea

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: ASEC researchers have discovered a CHM malware strain in Korea that steals user information. This malware has been distributed in various formats such as LNK, DOC, and OneNote for some time.

Source: https://asec.ahnlab.com/en/65245/

Intel Source:: Tqt-group

Intel Name:: Meterpreter_backdoor_being_distributed_from_a_Korean_website

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: ASEC has observed evidence of a malware strain being distributed to web servers in South Korea, taking users to an illegal gambling site. After initially infiltrating a poorly managed Windows Internet Information Services (IIS) web server in Korea, the threat actor installed the Meterpreter backdoor, a port forwarding tool, and an IIS module malware tool. The attacker has a goal to collect information on the attack target before installing the IIS module malware.

Source: https://tqt-group.co.uk/2024/05/08/case-of-malware-distribution-linking-to-illegal-gambling-website-targeting-korean-web-server/

Intel Source:: Threatdown

Intel Name:: A_ransomware_affiliated_with_LockBit_Black_malware

Date of Scan:: 2024-05-08

Impact:: MEDIUM

Summary:: Some lure email from malicious campaign was observed last month and were initiated by ransomware connected to LockBit Black (AKA LockBit 3.0). This LockBit Black malware sample was spread by a malspam campaign using the Phorpiex botnet. The email with the subject “Your Document” contains a zipped attachment.

Source: https://www.threatdown.com/blog/lockbitblack-05-01-2024/

Intel Source:: Fortinet

Intel Name:: The_Distribution_of_zEus_Stealer

Date of Scan:: 2024-05-08

Impact:: MEDIUM

Summary:: Researchers from Fortinet examined a batch stealer distributed via a crafted Minecraft source pack which is embedded in a WinRAR self-extract file. The zEus stealer malware has been added to a source pack that was being shared on YouTube. The "zEus" name is also found in a profile of the Discord webhook receiving stolen data.

Source: https://www.fortinet.com/blog/threat-research/zeus-stealer-distributed-via-crafted-minecraft-source-pack

Intel Source:: ASEC

Intel Name:: RemcosRAT_Spreading_Using_Steganography

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: Researchers from ASEC have discovered that RemcosRAT is being distributed via steganography. Using the template injection technique, an attack starts with a Word document. Next, an RTF is downloaded and run to take advantage of an equation editor vulnerability (EQNEDT32.EXE).

Source: https://asec.ahnlab.com/en/65111/

Intel Name:: Asynchronous_Remote_Access_Trojan

Date of Scan:: 2024-05-08

Impact:: LOW

Summary:: McAfee labs have uncovered the highly sophisticated malware variant which is designed for stealing the confidential data. It is really hard to detect this malware because it uses different kinds of files, like PowerShell and VBScript, hidden inside an HTML file. When someone opens an infected email and clicks on a link, it starts a chain reaction that downloads these harmful files onto their computer without them even knowing. Once it's in your system, it can do a lot of damage.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/from-spam-to-asyncrat-tracking-the-surge-in-non-pe-cyber-threats/

Intel Source:: Threatdown

Intel Name:: The_details_of_a_Medusa_ransomware_attack

Date of Scan:: 2024-05-08

Impact:: MEDIUM

Summary:: Last month, a prominent service chain in the United States became a victim of a Medusa ransomware attack. Threatdown analysts studied the attack’s framework, exploring the chronological events, key indicators of compromise (IOCs), and steps the ThreatDown MDR team took to mitigate the infection.

Source: https://www.threatdown.com/blog/the-anatomy-of-a-medusa-ransomware-attack-threatdown-mdr-team-investigates/

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page