GURUCUL THREAT RESEARCH LABS

Gurucul Threat Research Labs
Engineering Threat Detections from Every Perspective

Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.

 A powerful alliance of seasoned threat researchers and data scientists drives our innovation. By fusing external intelligence, internal expertise, and community insights, we develop cutting-edge detections to combat the most elusive threats.

How We Engineer Threat Detections

Multiple Teams, Sources and Disciplines

External Intelligence

The Gurucul Threat Research team uses diverse public threat intelligence sources to gain into threat actor tactics and attack patterns.

This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.

Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.

Internal Expertise

Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.

Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.

This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.

Detection Output

Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.

Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.

Latest Threat Research

10/04/24
Smartloader to lumma stealer
Medium

Intel Name: Smartloader to lumma stealer

Date of Scan: 10/04/24

Impact: Medium

Summary:
“SmartLoader to Lumma Stealer” refers to a transition in malware distribution techniques, where SmartLoader, a versatile malware delivery platform, is used to deploy Lumma Stealer. Lumma Stealer is designed to harvest sensitive information, such as login credentials, payment details, and personal data, from infected systems. This chain of infection highlights the evolving tactics of cybercriminals, utilizing robust loaders to facilitate the spread of more targeted and damaging malware. The combination poses significant risks to user security and data privacy.

More Details

10/04/24
Royal mail lures deliver open source prince ransomware
High

Intel Name: Royal mail lures deliver open source prince ransomware

Date of Scan: 10/04/24

Impact: High

Summary:
Proofpoint researchers discovered a campaign impersonating the British postal service, Royal Mail, to deliver Prince ransomware. This ransomware variant is available for free on GitHub, accompanied by a “disclaimer” stating it is intended solely for educational purposes. The campaign took place in mid-September, targeting individuals in the UK and the U.S. It was low-volume, affecting only a few organizations. Interestingly, most of the messages seemed to originate from contact forms on the targeted organizations’ websites, suggesting that the actor also exploits public contact forms, rather than exclusively using direct email outreach.

More Details

10/04/24
Suspicious chromium browser instance executed with custom extension
Medium

Intel Name: Suspicious chromium browser instance executed with custom extension

Date of Scan: 10/04/24

Impact: Medium

Summary:
“Suspicious Chromium Browser Instance Executed With Custom Extension” typically refers to security concerns surrounding a Chromium-based browser running with a potentially malicious or unauthorized extension. This situation can indicate that the browser instance may be used for activities like data theft, phishing, or unauthorized access to user information. Analysts often investigate the extension’s behavior, origin, and permissions to determine if it poses a threat to the system or user privacy. Such findings highlight the importance of monitoring browser extensions and ensuring they come from trusted sources.

More Details

10/03/24
Ukrainian language malspam pushes rms-based malware
High

Intel Name: Ukrainian language malspam pushes rms-based malware

Date of Scan: 10/03/24

Impact: High

Summary:
Initial phishing attempts involved Ukrainian-language emails sent on October 1, 2024, themed around “payment orders,” with a common attached PDF. Three examples were found on VirusTotal; two targeted .gov.ua recipients and one was sent to a US-based university. The spoofed PDF mimicked Ukraine’s PrivatBank and included a Bitbucket link to a now-defunct repository hosting a malicious 7-zip file. Inside, the 7-zip contained a zip file with a password-protected RAR file and a text file providing the password. The RAR file ultimately held a Windows EXE for RMS-based malware, which is a freely available remote desktop management tool from TektonIT

More Details

10/03/24
Detecting vulnerability scanning traffic from underground tools using machine learning
Medium

Intel Name: Detecting vulnerability scanning traffic from underground tools using machine learning

Date of Scan: 10/03/24

Impact: Medium

Summary:
Researchers at Palo Alto Networks identified an automated scanning tool called Swiss Army Suite (S.A.S) during routine telemetry monitoring. This tool was used by attackers to conduct vulnerability scans on both customer web services and various online sites. An SQL injection detection model identified unusual traffic patterns linked to this tool, which may include payloads capable of bypassing web application firewalls. Further investigation revealed similar SQL injection attempts recorded by users across the internet. Understanding the tool’s behavior is crucial for enhancing defense strategies, whether they rely on signature-based or machine-learning detection methods.

More Details

10/03/24
Invocation of crypto-classes from the “cryptography” powershell namespace
Medium

Intel Name: Invocation of crypto-classes from the “cryptography” powershell namespace

Date of Scan: 10/03/24

Impact: Medium

Summary:
Identifies the execution of PowerShell commands that reference classes from the “System.Security.Cryptography” namespace. This namespace offers classes for real-time encryption and decryption, which can be used, for instance, to decrypt malicious payloads for evading detection. This malware continues to be one of the top ten infections we’ve detected in our clients’ network primarily targeting the Education and Health sectors.

More Details

10/03/24
Lace tempest file indicators
High

Intel Name: Lace tempest file indicators

Date of Scan: 10/03/24

Impact: High

Summary:
Identifies the creation of PowerShell script files with certain names or suffixes commonly used by FIN7.

More Details

10/01/24
Mdr in action: preventing the more_eggs backdoor from hatching
Medium

Intel Name: Mdr in action: preventing the more_eggs backdoor from hatching

Date of Scan: 10/01/24

Impact: Medium

Summary:
A customer’s talent search resulted in their recruitment officer downloading a fraudulent resume and unintentionally running a malicious .LNK file, leading to a More_eggs infection. More_eggs is a JScript backdoor associated with the Golden Chickens malware-as-a-service (MaaS) toolkit. It is commonly exploited by financially motivated threat actors, including FIN6 and the Cobalt Group, to target financial and retail institutions. The backdoor connects to a fixed command-and-control (C&C) server to download and execute additional payloads, such as infostealers and ransomware.

More Details

10/01/24
Nitrogen campaign drops sliver and ends with blackcat ransomware
High

Intel Name: Nitrogen campaign drops sliver and ends with blackcat ransomware

Date of Scan: 10/01/24

Impact: High

Summary:
The incident started when a user inadvertently downloaded a malicious version of Advanced IP Scanner from a counterfeit website designed to resemble the legitimate one, using Google ads to achieve a higher search ranking. Analysis of the attack pattern and loader signature indicates that this was part of a Nitrogen campaign, aligning with earlier public reports. The compromised installer was delivered as a ZIP file, which the victim extracted and subsequently ran the embedded executable, leading to the infection.

More Details

09/30/24
Capybara dns tunneling campaign
High

Intel Name: Capybara dns tunneling campaign

Date of Scan: 09/30/24

Impact: High

Summary:
We have identified a DNS tunneling campaign named Capybara that employs several techniques for encoding or obscuring data within the DNS tunnel. These techniques include tailored Base32 encoding. DNS tunneling can begin as soon as the second day following the registration of a Capybara domain. This campaign initiated in June 2024, and telemetry data showed a peak of 22,685,570 fully qualified domain name (FQDN) detections in a single day in August 2024. The specific purpose of this campaign remains undetermined.

More Details

Powering REVEAL: The Dynamic Security Analytics Platform

REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.

REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.

Learn More