Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: Smartloader to lumma stealer
Date of Scan: 10/04/24
Impact: Medium
Summary: “SmartLoader to Lumma Stealer” refers to a transition in malware distribution techniques, where SmartLoader, a versatile malware delivery platform, is used to deploy Lumma Stealer. Lumma Stealer is designed to harvest sensitive information, such as login credentials, payment details, and personal data, from infected systems. This chain of infection highlights the evolving tactics of cybercriminals, utilizing robust loaders to facilitate the spread of more targeted and damaging malware. The combination poses significant risks to user security and data privacy.
Intel Name: Royal mail lures deliver open source prince ransomware
Date of Scan: 10/04/24
Impact: High
Summary: Proofpoint researchers discovered a campaign impersonating the British postal service, Royal Mail, to deliver Prince ransomware. This ransomware variant is available for free on GitHub, accompanied by a “disclaimer” stating it is intended solely for educational purposes. The campaign took place in mid-September, targeting individuals in the UK and the U.S. It was low-volume, affecting only a few organizations. Interestingly, most of the messages seemed to originate from contact forms on the targeted organizations’ websites, suggesting that the actor also exploits public contact forms, rather than exclusively using direct email outreach.
Intel Name: Suspicious chromium browser instance executed with custom extension
Date of Scan: 10/04/24
Impact: Medium
Summary: “Suspicious Chromium Browser Instance Executed With Custom Extension” typically refers to security concerns surrounding a Chromium-based browser running with a potentially malicious or unauthorized extension. This situation can indicate that the browser instance may be used for activities like data theft, phishing, or unauthorized access to user information. Analysts often investigate the extension’s behavior, origin, and permissions to determine if it poses a threat to the system or user privacy. Such findings highlight the importance of monitoring browser extensions and ensuring they come from trusted sources.
Intel Name: Ukrainian language malspam pushes rms-based malware
Date of Scan: 10/03/24
Impact: High
Summary: Initial phishing attempts involved Ukrainian-language emails sent on October 1, 2024, themed around “payment orders,” with a common attached PDF. Three examples were found on VirusTotal; two targeted .gov.ua recipients and one was sent to a US-based university. The spoofed PDF mimicked Ukraine’s PrivatBank and included a Bitbucket link to a now-defunct repository hosting a malicious 7-zip file. Inside, the 7-zip contained a zip file with a password-protected RAR file and a text file providing the password. The RAR file ultimately held a Windows EXE for RMS-based malware, which is a freely available remote desktop management tool from TektonIT
Intel Name: Detecting vulnerability scanning traffic from underground tools using machine learning
Date of Scan: 10/03/24
Impact: Medium
Summary: Researchers at Palo Alto Networks identified an automated scanning tool called Swiss Army Suite (S.A.S) during routine telemetry monitoring. This tool was used by attackers to conduct vulnerability scans on both customer web services and various online sites. An SQL injection detection model identified unusual traffic patterns linked to this tool, which may include payloads capable of bypassing web application firewalls. Further investigation revealed similar SQL injection attempts recorded by users across the internet. Understanding the tool’s behavior is crucial for enhancing defense strategies, whether they rely on signature-based or machine-learning detection methods.
Intel Name: Invocation of crypto-classes from the “cryptography” powershell namespace
Date of Scan: 10/03/24
Impact: Medium
Summary: Identifies the execution of PowerShell commands that reference classes from the “System.Security.Cryptography” namespace. This namespace offers classes for real-time encryption and decryption, which can be used, for instance, to decrypt malicious payloads for evading detection. This malware continues to be one of the top ten infections we’ve detected in our clients’ network primarily targeting the Education and Health sectors.
Intel Name: Lace tempest file indicators
Date of Scan: 10/03/24
Impact: High
Summary: Identifies the creation of PowerShell script files with certain names or suffixes commonly used by FIN7.
Intel Name: Mdr in action: preventing the more_eggs backdoor from hatching
Date of Scan: 10/01/24
Impact: Medium
Summary: A customer’s talent search resulted in their recruitment officer downloading a fraudulent resume and unintentionally running a malicious .LNK file, leading to a More_eggs infection. More_eggs is a JScript backdoor associated with the Golden Chickens malware-as-a-service (MaaS) toolkit. It is commonly exploited by financially motivated threat actors, including FIN6 and the Cobalt Group, to target financial and retail institutions. The backdoor connects to a fixed command-and-control (C&C) server to download and execute additional payloads, such as infostealers and ransomware.
Intel Name: Nitrogen campaign drops sliver and ends with blackcat ransomware
Date of Scan: 10/01/24
Impact: High
Summary: The incident started when a user inadvertently downloaded a malicious version of Advanced IP Scanner from a counterfeit website designed to resemble the legitimate one, using Google ads to achieve a higher search ranking. Analysis of the attack pattern and loader signature indicates that this was part of a Nitrogen campaign, aligning with earlier public reports. The compromised installer was delivered as a ZIP file, which the victim extracted and subsequently ran the embedded executable, leading to the infection.
Intel Name: Capybara dns tunneling campaign
Date of Scan: 09/30/24
Impact: High
Summary: We have identified a DNS tunneling campaign named Capybara that employs several techniques for encoding or obscuring data within the DNS tunnel. These techniques include tailored Base32 encoding. DNS tunneling can begin as soon as the second day following the registration of a Capybara domain. This campaign initiated in June 2024, and telemetry data showed a peak of 22,685,570 fully qualified domain name (FQDN) detections in a single day in August 2024. The specific purpose of this campaign remains undetermined.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.