Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: TG Soft

Intel Name:: Chinese_Hacking_Group_Targeting_Italy

Date of Scan:: 2024-07-15

Impact:: MEDIUM

Summary:: Researchers at TG Soft discovered two targeted attacks on Italian companies and government entities, attributed to a Chinese cyber actor connected to APT17, also known as DeputyDog. They use variations of Rat 9002 malware, one campaign using an Office document while another employed a decoy link. In both cases, the idea is to deceive victims into downloading what looked like Skype for Business Package from a domain that seemed to be related to an Italian government entity.

Source: https://www.tgsoft.it/news/news_archivio.asp?id=1557&lang=eng

Intel Source:: Malwarebytes

Intel Name:: Atomic_Stealer_Delivered_by_Fake_Microsoft_Teams

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: Malwarebytes researchers have observed the macOS ecosystem has seen increased cyberattacks as hackers take advantage of popular messaging platforms such as Microsoft Teams to spread malware through deceptive advertisements and fake installers. Recent malvertising campaigns have shown this trend of criminals targeting MacOS with more sophisticated techniques, using advanced evasion techniques.

Source: https://www.malwarebytes.com/blog/threat-intelligence/2024/07/fake-microsoft-teams-for-mac-delivers-atomic-stealer

Intel Source:: CVERC

Intel Name:: Volt_Typhoon_Targeting_US_Congress_and_Taxpayers

Date of Scan:: 2024-07-15

Impact:: MEDIUM

Summary:: Accusing U.S government agencies of making up a story to make money and keep surveillance powers, Volt Typhoon investigation by National Computer Virus Emergency Response Center of China points out that mainstream US media outlets have kept quiet about the evidence showing that there has been a use of disinformation to secure increased appropriation and legitimize their far reaching FISA section 702 surveillance. It is referred to in the disclosure that this campaign was schemed to eliminate foreign competition, thus sustaining American monopoly over cyber space.

Source: https://www.cverc.org.cn/head/zhaiyao/futetaifengerEN.pdf

Intel Source:: CERT-AGID

Intel Name:: VCRuntime_Campaign_via_Malspam_Revenue_Agency

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: CERT-AGID researchers have finally identified an Italian campaign with a theme "Agenzia delle Entrate". Victims receive a PEC with a link to a ZIP file called "Skype". This ZIP package contains an MSI file, which, when executed, launches a JAR file. This JAR is packaged with a key (KEY) and a file containing a large list of UUIDs. These UUIDs include the encrypted information required to obtain the shellcode that will be run on the computer.

Source: https://x.com/agidcert/status/1809182289072447665?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: Checkpoint

Intel Name:: New_Bugsleep_Backdoor_by_Muddywater

Date of Scan:: 2024-07-15

Impact:: MEDIUM

Summary:: Checkpoint researchers have discovered phishing campaigns conducted by Muddywater, an Iranian threat group active since at least 2017. Attackers are using a custom backdoor called Bugsleep and exploit Egnyte, a legitimate file-sharing platform used for easy file transfer via web browsers. Muddywater entices their targets by sending invitations to webinars and online courses and uses the English language more frequently instead of using local language in their recent campaigns. They are targeting sectors such as municipalities, airlines, travel agencies, and media. Many emails are sent to companies in Israel, with others are aimed at entities in Turkey, Saudi Arabia, India, and Portugal.

Source: https://research.checkpoint.com/2024/new-bugsleep-backdoor-deployed-in-recent-muddywater-campaigns/

Intel Source:: ASEC

Intel Name:: Private_HTS_program_is_using_for_attacks

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: ASEC researchers have identified new malware that distributes HTS called HPlus which similar to previous malware Quasar RAT. The main difference is HPlus uses an MSI installer instead NSIS installer. Additionally, the attacker has also added remote support functionality via AnyDesk. When users click the Remote Support button, AnyDesk is executed their request. After installation, users run a desktop shortcut that launches the updater program which reads the configuration file, connects to the server and uses FTP server to perform updates. The attacker manipulates the configuration file to set as FTP server which actual malware is hosted. This causes the malware to be downloaded and installed as a compressed file.

Source: https://asec.ahnlab.com/ko/67881/

Intel Source:: Knowsec 404 Lab

Intel Name:: OceanLotus_APT_Attack_Using_Social_Security_Topics

Date of Scan:: 2024-07-15

Impact:: LOW

Summary:: The Knowsec 404 Labs have found an attack sample targeting the OceanLotus organization. The sample uses words like social security and provident fund adjustment to entice victims to click. Simultaneously, the sample is highly consistent with the investigation findings of the OceanLotus APT group imitating the APT29 attack activities that were uncovered in 2023.

Source: https://mp.weixin.qq.com/s?__biz=MzAxNDY2MTQ2OQ==&mid=2650979391&idx=1&sn=d40b3efc4c0686f73aabbb47f7f61c15&chksm=8079fe0db70e771b503d98cb8bc757a71f78805e6b90483f217c9fa673996245314606c28d3d&scene=178&cur_album_id=1833896270264844290#rd

Intel Source:: Silent Push

Intel Name:: Unmasking_FIN7_Campaigns

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Researchers from Silent Push have discovered the largest collection of FIN7 domains, including over 4000 IOFA domains and IP addresses. Prominent global brands like Louvre, Meta, Reuters, and Microsoft have been targeted in these large-scale phishing and malware attacks. FIN7 mainly targeting industries in the US, like retail, hospitality, tech, consulting, and financial services. The research indicates either the resurfacing of FIN7 or the repurposing of their tactics to launch new campaigns.

Source: https://www.silentpush.com/blog/fin7/#h-iofas

Intel Source:: X (Twitter)

Intel Name:: PurpleFox_Malware_Activities

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: Security researcher vm001cn identified the PurpleFox malware with a valid signature on X (Twitter). Purple Fox downloads and runs its payload using the MsiInstallProductA msi.dll function. The payload consists of a.msi file with 32- and 64-bit encrypted shellcode. After it has been run, the system will restart and rename its components using the 'PendingFileRenameOperations' registry.

Source: https://x.com/vm001cn/status/1809909869883072703?s=12&t=8PuF3QXqo9azqMLbBfcyeA

Intel Source:: SonicWall

Intel Name:: PDF_files_embedded_with_QRcodes

Date of Scan:: 2024-07-12

Impact:: LOW

Summary:: SonicWall researchers have observed that malware authors are using PDF files with QR codes to lure users because QR codes are very popular and utilized in every sector. These QR codes come from emails asking users to scan them for security updates or document signing. Once users scan the QR code, it redirects to a phishing page that mimics the official Microsoft login page. Once Users enter their Microsoft account username and password then attackers use this information to access their email, personal information, and sensitive company data without permission.

Source: https://blog.sonicwall.com/en-us/2024/07/the-hidden-danger-of-pdf-files-with-embedded-qr-codes/

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page