Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: Palo Alto

Intel Name:: North_Korean_IT_Cluster_Phishing_Campaign

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: Researchers from Palo Alto have observed that North Korean IT cluster CL-STA-0237 is active in scams using malware-infected video apps and most likely operating from Laos. In 2022, this gang hacked a US SMB to gain a tech role, thereby assisting North Korea's illegal projects. Organizations could strengthen hiring practices, detect insider threats, and enforce corporate device policies.

Source: https://unit42.paloaltonetworks.com/fake-north-korean-it-worker-activity-cluster/

Intel Source:: Esentire

Intel Name:: BeaverTail_and_InvisibleFerret_Malware

Date of Scan:: 2024-11-15

Impact:: MEDIUM

Summary:: Researchers at ESentire have identified an attack where JavaScript project was compromised with BeaverTail malware which was downloaded by software developer. When the developer installed the project, it triggers the execution of malicious files that downloaded and run another malware called InvisibleFerret. InvisibleFerret malware saves on the victim's computer as a hidden file named "sysinfo" and is executes using Python. These malwares steal saved login credentials, collecting system information, and targeting cryptocurrency wallets like Exodus and Solana to extract sensitive data.

Source: https://www.esentire.com/blog/bored-beavertail-invisibleferret-yacht-club-a-lazarus-lure-pt-2

Intel Source:: ASEC

Intel Name:: XLoader_Malware

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: ASEC researchers have identified a malware called XLoader which is being distributed through a technique called DLL-side loading. This technique placing a legitimate application and a malicious DLL in the same folder so that the malicious file runs when the application starts. The malware is delivered in a compressed file containing the legitimate application along with two malicious DLL files named jli.dll and concrt140e.dll. When the legitimate application runs, it unknowingly triggers the malicious DLLs.

Source: https://asec.ahnlab.com/ko/84431/

Intel Source:: Palo Alto

Intel Name:: Raspberry_Robin_Infection_Chain_Uses_WebDAV_Server

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: A new infection chain for Raspberry Robin, traced back to late October 2024, appears to be distributed through third-party ads on various websites. The campaign involves zip archives (e.g., access.zip, bootstrap.zip) that contain HTA files (e.g., access.hta, bootstrap.hta), each designed to run an obfuscated script hosted on publicly-accessible URLs. These scripts retrieve and execute a Raspberry Robin DLL hosted on a WebDAV server. The WebDAV servers rotate DLL files every 50 minutes, each with a unique size and hash. Testing reveals that the DLLs generate Tor-based command-and-control traffic, a known characteristic of Raspberry Robin.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-14-IOCs-for-Raspberry-Robin-activity.txt

Intel Source:: Volexity

Intel Name:: BrazenBamboo_Threat_Actor

Date of Scan:: 2024-11-15

Impact:: MEDIUM

Summary:: Volexity has uncovered a critical zero-day vulnerability in Fortinet's FortiClient VPN software, which BrazenBamboo, a Chinese state-affiliated cyber espionage group, has exploited through their DEEPDATA malware to steal VPN credentials. The vulnerability allows credentials to be extracted from FortiClient’s process memory after user authentication. DEEPDATA, a modular post-exploitation tool, supports a variety of plugins to collect sensitive data, including passwords, chat logs, and WiFi credentials. Volexity also discovered a new Windows variant of the LIGHTSPY malware family, known for targeting multiple platforms including mobile and desktop systems. BrazenBamboo’s operations, which include sophisticated C2 infrastructure, evidence of continued development, and a focus on domestic surveillance, suggest the group provides custom malware capabilities for government clients.

Source: https://www.volexity.com/blog/2024/11/15/brazenbamboo-weaponizes-forticlient-vulnerability-to-steal-vpn-credentials-via-deepdata/

Intel Source:: Gen Digital

Intel Name:: Glove_Stealer_NET_Malware

Date of Scan:: 2024-11-15

Impact:: MEDIUM

Summary:: Glove Stealer is a sophisticated information-stealing malware observed in phishing campaigns, primarily spread through deceptive emails resembling troubleshooting tools like "ClickFix." Once executed, Glove Stealer targets sensitive data from a wide range of browsers, including Chrome, Firefox, and Edge, as well as over 280 browser extensions and 80 locally installed applications, including cryptocurrency wallets, password managers, 2FA authenticators, and email clients. The malware uses advanced techniques, such as bypassing App-Bound encryption introduced by Google in Chrome 127, by leveraging a supporting module that utilizes the IElevator service. After infecting the victim's system, it exfiltrates data, including cookies, autofill, wallets, and device information, encrypts it using 3DES, and sends it to a remote command-and-control server.

Source: https://www.gendigital.com/blog/news/innovation/glove-stealer

Intel Source:: Cyble

Intel Name:: DONOT_APT_Targets_Maritime_and_Defense_Manufacture

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: Cyble researchers have uncovered a campaign operated by DoNot APT group also known as APT-C-35 targeting Pakistan manufacturing sector which includes maritime and defense sectors. This group has been active since 2016 and known for targeting government, military, and diplomatic organizations across South Asia. In this campaign, attackers use malicious .LNK file disguised as an RTF document that delivered via spam emails in RAR archives. When victim clicks on the files, it executes malicious commands through cmd.exe and PowerShell. It connects to a C2 server, sending a unique device ID via POST and receiving commands for actions such as self-destruction, downloading encrypted payloads, or performing additional malicious tasks.

Source: https://cyble.com/blog/donots-attack-on-maritime-defense-manufacturing/

Intel Source:: EclecticIQ

Intel Name:: SilkSpecter_Group_Targeting_Black_Friday_Shoppers

Date of Scan:: 2024-11-15

Impact:: LOW

Summary:: EclecticIQ researchers have uncovered a phishing campaign targeting e-commerce shoppers in Europe and the USA during the Black Friday shopping season. The campaign, attributed with high confidence to the Chinese financially motivated threat actor SilkSpecter, uses fake discounted products to trick victims into providing sensitive data such as Cardholder Data (CHD), Sensitive Authentication Data (SAD), and Personally Identifiable Information (PII). SilkSpecter exploits the legitimate payment processor Stripe to facilitate covert data exfiltration. The attackers enhance the phishing site's credibility by using Google Translate to adapt the site’s language based on the victim's location. Previous campaigns linked to a Chinese SaaS platform, oemapps, suggest it helps SilkSpecter quickly create convincing phishing sites. The domains involved often use .top, .shop, .store, and .vip TLDs and engage in typosquatting of legitimate e-commerce brands.

Source: https://blog.eclecticiq.com/inside-intelligence-center-financially-motivated-chinese-threat-actor-silkspecter-targeting-black-friday-shoppers

Intel Source:: ASEC

Intel Name:: DDoSia_Attacks_on_Korean_Institutions

Date of Scan:: 2024-11-14

Impact:: LOW

Summary:: Researchers from ASEC have discovered that the Russian hacktivist group NoName057(16), along with pro-Russian supporters, initiated DDoS attacks on South Korean institutions in November 2024, targeting officials who supported Ukraine. Using DDoSia software, they organized volunteers via Telegram, compensating them with cryptocurrency and regularly changing C&C server addresses to avoid detection.

Source: https://asec.ahnlab.com/ko/84426/

Intel Source:: Cisco Talos

Intel Name:: New_PXA_Stealer_targets_Europe_and_Asia

Date of Scan:: 2024-11-14

Impact:: LOW

Summary:: Cisco Talos researchers have uncovered a new information-stealing campaign operated by a Vietnamese-speaking threat actor targeting the education sector in India and government organizations in European countries, including Sweden and Denmark. The attacker leverages python-based malware called PXA Stealer to exfiltrate sensitive information from victims which includes credentials for various online accounts, VPN and FTP clients, financial information, browser cookies, and data from gaming software. This stealer is capable to decrypt the master passwords stored in victims' browsers to access and steal their stored credentials. The attacker also operates the telegram channel “Mua Bán Scan MINI” where they sell Facebook accounts, Zalo accounts, SIM cards, credentials, and money laundry data.

Source: https://blog.talosintelligence.com/new-pxa-stealer/

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page