Securonix Threat Labs

Get up-to-date threat content from the experts at Securonix Threat Labs.

Uncover the threats of tomorrow, today.

Securonix Threat Labs helps your team fend off rising threats by bringing the industry’s brightest minds together to equip you with the latest countermeasures and best practices.

securonix autonomous threat sweep detection report sample

Autonomous Threat Sweeper

Acting as your own dedicated Cyber Rapid Response Team, Securonix Autonomous Threat Sweeper (ATS) automatically and retroactively hunts for new and emerging threats based on the latest threat intelligence from our Threat Labs Team.

Learn More

Latest ATS Entries

All indicators of compromise (IOC) and Spotter queries are available on our GitHub repository.

Intel Source:: STR

Intel Name:: Potential_C2_Seeder_Queries_11192024

Date of Scan:: 2024-11-20

Impact:: MEDIUM

Summary:: This research is part of Securonix Threat Labs - Threat Research Team

Source: https://github.com/str-int-repo/str-seeder-behavior-queries

Intel Source:: CERT-AGID

Intel Name:: GitHub_Hosted_Phishing_Campaign

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: CERT-AGID researcher have uncovered a phishing campaign targeting users of WeTransfer, a popular file-sharing service, and cPanel, a web hosting control panel. The attackers send fake emails with links claiming to share files but these links redirect victims to a website that closely mimics the cPanel Webmail login page. This fake page is hosted on GitHub to make the scam appear more legitimate. When victims enter their credentials on this fake page, the information such as login details email provider's server details (MX records) and the geolocation based on their IP address is secretly sent to a Telegram bot controlled by the attackers.

Source: https://cert-agid.gov.it/news/phishing-ospitato-su-github-ruba-credenziali-utilizzando-telegram/

Intel Source:: NTT

Intel Name:: DarkPlum_Targeting_Japan_Through_AsyncRAT

Date of Scan:: 2024-11-20

Impact:: MEDIUM

Summary:: NTT Researchers have uncovered threat group called DarkPlum also known as Kimsuky or APT43 has been targeting Japan since March 2024 and using a customized variant of AsyncRAT which is available on GitHub. AsyncRAT is capable of infecting devices, gather information, and execute malicious plugins sent from a command-and-control (C&C) server. The attacker uses several plugins such as RemoteDesktop, FileManager, and RemoteShell in its AsyncRAT variants. The RemoteDesktop plugin enables screen capture, mouse control, and keyboard input. The FileManager plugin steals folder and drive information, manipulates files, and even downloads tools like 7zip. The RemoteShell plugin allows DarkPlum to open command prompts, execute commands, and terminate processes to explore and manipulate the victim's environment.

Source: https://polite-sea-077fba000.1.azurestaticapps.net/tech_blog/darkplum-asyncrat

Intel Source:: SCI Labs

Intel Name:: New_Silver_Shifting_Yak_Banking_Trojan

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: SCILabs researchers have identified a new banking trojan named Silver Shifting Yak and provided the tactics, techniques, and procedures (TTPs). The Trojan primarily targets financial institutions and Microsoft services in Latin America, stealing sensitive data such as login credentials. Notably, it employs dynamic URL alterations for its command-and-control (C2) server and uses varied domain names to evade detection. While the exact distribution method remains unclear, it is likely spread via malicious email attachments disguised as invoices or documents, similar to other regional threats.

Source: https://blog.scilabs.mx/en/new-silver-shifting-yak-banking-trojan/

Intel Source:: Trellix

Intel Name:: When_Guardians_Become_Predators

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: A recent discovery by Trellix’s Advanced Research Center reveals a concerning malware campaign that weaponizes a legitimate Avast Anti-Rootkit driver to bypass security measures and gain control over infected systems. The malware, using the trusted kernel-mode driver "aswArPot.sys," drops it onto the system and installs it as a service, allowing it to access critical system processes. This high-level access enables the malware to terminate antivirus and endpoint detection processes, undermining the system’s defenses. By leveraging the Avast driver to terminate security software, the malware evades detection and escalates its control.

Source: https://www.trellix.com/blogs/research/when-guardians-become-predators-how-malware-corrupts-the-protectors/

Intel Source:: Palo Alto

Intel Name:: ApateWeb_Campaign_Updates

Date of Scan:: 2024-11-20

Impact:: LOW

Summary:: Palo Alo discovered new indicators on entry point infrastructure for the ApateWeb campaign, first reported in their January 2024 article.

Source: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-11-19-IOC-updates-for-ApateWeb-campaign.txt

Intel Source:: Clear Skys

Intel Name:: Zero_Day_Vulnerability_in_Windows

Date of Scan:: 2024-11-20

Impact:: MEDIUM

Summary:: A new zero-day vulnerability (CVE-2024-43451) has been discovered in several Windows systems, affecting the activation of malicious URL files. The vulnerability can be triggered through a variety of actions, including right-clicking the file, deleting it in Windows 10/11, or dragging it to another folder on Windows 10/11 and some versions of Windows 7/8/8.1. These files were found to be downloaded from an official Ukrainian government website, where users typically access academic certificates. The vulnerability is being exploited by the threat actor UAC-0194, suspected to be Russian, as part of a campaign targeting Ukrainian entities. The issue has been reported to CERT-UA and Microsoft, who released a security patch on November 12, 2024, to address the flaw.

Source: https://www.clearskysec.com/wp-content/uploads/2024/11/Zero-day-cve-2024-4351-report.pdf

Intel Source:: Cyfirma

Intel Name:: New_Variant_of_MIMIC_Ransomware

Date of Scan:: 2024-11-20

Impact:: MEDIUM

Summary:: Researchers at Cyfirma have uncovered a sophisticated dropper binary that deploys the ELPACO-team ransomware, a new variant of the MIMIC ransomware. Upon execution, it uses various malicious tools and legitimate utilities to disable system defenses, encrypt numerous file types, and ensure persistence. The ransomware targets critical files on both local and network drives, leaving a ransom note for the victim. It specifically encrypts certain file extensions while excluding others to avoid damaging vital system files, posing a significant threat to individuals and enterprises by evading detection and complicating recovery.

Source: https://www.cyfirma.com/research/elpaco-team-ransomware-a-new-variant-of-the-mimic-ransomware-family/

Intel Source:: Palo Alto

Intel Name:: FrostyGoop_Closer_Look

Date of Scan:: 2024-11-19

Impact:: MEDIUM

Summary:: Unit 42 detailed the FrostyGoop malware, also known as BUSTLEBERM, which emerged as a significant threat to operational technology (OT) infrastructure in 2024. Its notable attack disrupted heating for over 600 buildings in Ukraine during sub-zero temperatures by exploiting vulnerabilities in ICS/OT devices using the Modbus TCP protocol. This marks it as the ninth known OT-centric malware and the first to disrupt critical infrastructure on this scale. FrostyGoop's capabilities include reading and modifying data on industrial control devices, often using JSON configuration files for targeted attacks. Analysis revealed the malware's use of open-source libraries, debugger evasion techniques, and associated tools like go-encrypt.exe, suspected for concealing configuration data.

Source: https://unit42.paloaltonetworks.com/frostygoop-malware-analysis/

Intel Source:: ISC.SANS

Intel Name:: Detecting_Debugger_Presence_on_Linux_Systems

Date of Scan:: 2024-11-19

Impact:: LOW

Summary:: ISC.SANS researchers have discussed methods for detecting the presence of a debugger on a Linux system. It highlights various techniques that malware and security researchers use to identify if a debugger is attached to a process, which can help in evading analysis or reverse engineering. They outline specific tools and system checks, such as examining `/proc/[pid]/status` for signs of debugging or using ptrace system calls to monitor process behavior. It also covers potential countermeasures, including the manipulation of system calls and environment variables to hide or mask debugging activity.

Source: https://isc.sans.edu/diary/Detecting+the+Presence+of+a+Debugger+in+Linux/31450/

View All

Threat Content

Shared Security Content on Sigma

Securonix Threat Labs publishes up-to-date IOCs and threat hunting queries on Sigma, allowing you to tap into a vast community of collective defense and stay ahead of emerging threat research.

Visit Our Sigma Page