Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: A new android banking trojan masquerades as utility and banking apps in india
Date of Scan: 12/13/24
Impact: Medium
Summary: “A New Android Banking Trojan Masquerades as Utility and Banking Apps in India” discusses the discovery of a new Android banking trojan targeting Indian users, identified by McAfee Mobile Research Team. This malware disguises itself as utility or banking apps, such as gas or electricity services, to steal sensitive information. The trojan exploits the urgency of utility-related messages, like warnings about service disconnections, to trick users into acting quickly. So far, it has infected 419 devices, intercepted nearly 5,000 SMS messages, and stolen over 600 pieces of bank-related personal information. McAfee Mobile Security detects the threat as Android/Banker, with numbers expected to rise as campaigns continue.
Intel Name: Network abuses leveraging high-profile events: suspicious domain registrations and other scams
Date of Scan: 12/13/24
Impact: High
Summary: Threat actors often capitalize on trending events, such as global sporting championships, to execute attacks like phishing and scams. As a result, proactive monitoring of event-related domain abuse is vital for cybersecurity teams. Our investigations into network abuse frequently identify suspicious domain registration campaigns, especially those incorporating event-specific keywords or phrases. These campaigns typically spike around major events.
Intel Name: The stealthy stalker: remcos rat
Date of Scan: 12/12/24
Impact: Medium
Summary: “The Stealthy Stalker: Remcos RAT” highlights the rising threat of the Remcos Remote Access Trojan (RAT), identified by McAfee Labs in Q3 2024. This malware, commonly delivered via phishing emails and malicious attachments, allows cybercriminals to remotely control infected systems. Remcos RAT is increasingly used for espionage, data theft, and system manipulation, making it a significant concern in cybersecurity. As cyberattacks evolve in sophistication, understanding how Remcos RAT operates and implementing robust security measures is vital to safeguarding sensitive data and systems from this growing threat. The blog offers a technical analysis of two key Remcos RAT variants.
Intel Name: Inside zloader’s latest trick: dns tunneling
Date of Scan: 12/12/24
Impact: High
Summary: Zloader (also known as Terdot, DELoader, or Silent Night) is a modular Trojan derived from the leaked Zeus source code, first appearing in 2015. Initially designed for banking fraud through Automated Clearing House (ACH) and wire transfers, Zloader has since been repurposed for initial access, enabling ransomware deployment in corporate environments, similar to Qakbot and Trickbot. After a nearly two-year hiatus, Zloader resurfaced a year ago with a new version featuring enhanced obfuscation techniques, a refined domain generation algorithm (DGA), advanced anti-analysis measures, and updated network communication protocols.
Intel Name: Anatomy of celestial stealer: malware-as-a-service revealed
Date of Scan: 12/11/24
Impact: High
Summary: During proactive threat hunting, Trellix Advanced Research Center identified samples of Celestial Stealer, a JavaScript-based infostealer packaged as either an Electron application or a Node.js single application for Windows 10 and 11. Offered as Malware-as-a-Service (MaaS) on Telegram, it allows users to purchase subscriptions—weekly, monthly, or lifetime—for access to its malicious features. The stealer targets Chromium and Gecko-based browsers, as well as applications like Steam, Telegram, and cryptocurrency wallets such as Atomic and Exodus.
Intel Name: Eventlog query requests by builtin utilities
Date of Scan: 12/10/24
Impact: Medium
Summary: Detectives attempt to query event log contents using command-line utilities. Attackers often use this technique to search logs for sensitive information, such as passwords, usernames, or IP addresses.
Intel Name: Smokeloader attack targets companies in taiwan
Date of Scan: 12/09/24
Impact: High
Summary: In September 2024, there was observed an attack leveraging the notorious SmokeLoader malware to target companies in Taiwan across sectors like manufacturing, healthcare, and IT. Known for its versatility and advanced evasion techniques, SmokeLoader’s modular design enables a variety of attacks. While typically serving as a downloader for other malware, in this case, it executed the attack directly by retrieving plugins from its command-and-control (C2) server.
Intel Name: Moonshine exploit kit and darknimbus backdoor enabling earth minotaur’s multi-platform attacks
Date of Scan: 12/06/24
Impact: High
Summary: Since 2019, we have been monitoring the activity of the MOONSHINE exploit kit. During our research, we uncovered a server with poor operational security, exposing its toolkits, operation logs, potential victim data, and the tactics of the threat actor Earth Minotaur. Initially targeting the Tibetan and Uyghur communities, MOONSHINE exploits vulnerabilities in Android instant messaging apps to implant backdoors. By 2024, at least 55 MOONSHINE exploit kit servers were identified, featuring updated vulnerabilities and enhanced protection against analysis, and it remains actively used by threat actors.
Intel Name: Gafgyt malware broadens its scope in recent attacks
Date of Scan: 12/05/24
Impact: High
Summary: The Gafgyt malware (also known as Bashlite or Lizkebab) has recently been observed targeting publicly exposed Docker Remote API servers. Traditionally focused on IoT devices, Gafgyt is now expanding its scope. Attackers exploit misconfigured Docker APIs to deploy the malware by creating containers using legitimate “alpine” Docker images. Once deployed, the malware enables attackers to infect victims and launch DDoS attacks against targeted servers.
Intel Name: Unveiling revc2 and venom loader
Date of Scan: 12/04/24
Impact: High
Summary: Between August and October 2024, ThreatLabz identified campaigns deploying two new malware families: RevC2 and Venom Loader. These were distributed via Venom Spider’s malware-as-a-service (MaaS) tools. RevC2 utilizes WebSockets for command-and-control (C2) communication and is capable of stealing cookies and passwords, proxying network traffic, and enabling remote code execution (RCE). Venom Loader, a custom malware loader, encodes its payload using the victim’s computer name for a tailored attack.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.