GURUCUL THREAT RESEARCH LABS

Gurucul Threat Research Labs
Engineering Threat Detections from Every Perspective

Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.

 A powerful alliance of seasoned threat researchers and data scientists drives our innovation. By fusing external intelligence, internal expertise, and community insights, we develop cutting-edge detections to combat the most elusive threats.

How We Engineer Threat Detections

Multiple Teams, Sources and Disciplines

External Intelligence

The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.

This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.

Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.

Internal Expertise

Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.

Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.

This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.

Detection Output

Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.

Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.

Latest Threat Research

12/13/24
A new android banking trojan masquerades as utility and banking apps in india
Medium

Intel Name: A new android banking trojan masquerades as utility and banking apps in india

Date of Scan: 12/13/24

Impact: Medium

Summary:
“A New Android Banking Trojan Masquerades as Utility and Banking Apps in India” discusses the discovery of a new Android banking trojan targeting Indian users, identified by McAfee Mobile Research Team. This malware disguises itself as utility or banking apps, such as gas or electricity services, to steal sensitive information. The trojan exploits the urgency of utility-related messages, like warnings about service disconnections, to trick users into acting quickly. So far, it has infected 419 devices, intercepted nearly 5,000 SMS messages, and stolen over 600 pieces of bank-related personal information. McAfee Mobile Security detects the threat as Android/Banker, with numbers expected to rise as campaigns continue.

More Details

12/13/24
Network abuses leveraging high-profile events: suspicious domain registrations and other scams
High

Intel Name: Network abuses leveraging high-profile events: suspicious domain registrations and other scams

Date of Scan: 12/13/24

Impact: High

Summary:
Threat actors often capitalize on trending events, such as global sporting championships, to execute attacks like phishing and scams. As a result, proactive monitoring of event-related domain abuse is vital for cybersecurity teams. Our investigations into network abuse frequently identify suspicious domain registration campaigns, especially those incorporating event-specific keywords or phrases. These campaigns typically spike around major events.

More Details

12/12/24
The stealthy stalker: remcos rat
Medium

Intel Name: The stealthy stalker: remcos rat

Date of Scan: 12/12/24

Impact: Medium

Summary:
“The Stealthy Stalker: Remcos RAT” highlights the rising threat of the Remcos Remote Access Trojan (RAT), identified by McAfee Labs in Q3 2024. This malware, commonly delivered via phishing emails and malicious attachments, allows cybercriminals to remotely control infected systems. Remcos RAT is increasingly used for espionage, data theft, and system manipulation, making it a significant concern in cybersecurity. As cyberattacks evolve in sophistication, understanding how Remcos RAT operates and implementing robust security measures is vital to safeguarding sensitive data and systems from this growing threat. The blog offers a technical analysis of two key Remcos RAT variants.

More Details

12/12/24
Inside zloader’s latest trick: dns tunneling
High

Intel Name: Inside zloader’s latest trick: dns tunneling

Date of Scan: 12/12/24

Impact: High

Summary:
Zloader (also known as Terdot, DELoader, or Silent Night) is a modular Trojan derived from the leaked Zeus source code, first appearing in 2015. Initially designed for banking fraud through Automated Clearing House (ACH) and wire transfers, Zloader has since been repurposed for initial access, enabling ransomware deployment in corporate environments, similar to Qakbot and Trickbot. After a nearly two-year hiatus, Zloader resurfaced a year ago with a new version featuring enhanced obfuscation techniques, a refined domain generation algorithm (DGA), advanced anti-analysis measures, and updated network communication protocols.

More Details

12/11/24
Anatomy of celestial stealer: malware-as-a-service revealed
High

Intel Name: Anatomy of celestial stealer: malware-as-a-service revealed

Date of Scan: 12/11/24

Impact: High

Summary:
During proactive threat hunting, Trellix Advanced Research Center identified samples of Celestial Stealer, a JavaScript-based infostealer packaged as either an Electron application or a Node.js single application for Windows 10 and 11. Offered as Malware-as-a-Service (MaaS) on Telegram, it allows users to purchase subscriptions—weekly, monthly, or lifetime—for access to its malicious features. The stealer targets Chromium and Gecko-based browsers, as well as applications like Steam, Telegram, and cryptocurrency wallets such as Atomic and Exodus.

More Details

12/10/24
Eventlog query requests by builtin utilities
Medium

Intel Name: Eventlog query requests by builtin utilities

Date of Scan: 12/10/24

Impact: Medium

Summary:
Detectives attempt to query event log contents using command-line utilities. Attackers often use this technique to search logs for sensitive information, such as passwords, usernames, or IP addresses.

More Details

12/09/24
Smokeloader attack targets companies in taiwan
High

Intel Name: Smokeloader attack targets companies in taiwan

Date of Scan: 12/09/24

Impact: High

Summary:
In September 2024, there was observed an attack leveraging the notorious SmokeLoader malware to target companies in Taiwan across sectors like manufacturing, healthcare, and IT. Known for its versatility and advanced evasion techniques, SmokeLoader’s modular design enables a variety of attacks. While typically serving as a downloader for other malware, in this case, it executed the attack directly by retrieving plugins from its command-and-control (C2) server.

More Details

12/06/24
Moonshine exploit kit and darknimbus backdoor enabling earth minotaur’s multi-platform attacks
High

Intel Name: Moonshine exploit kit and darknimbus backdoor enabling earth minotaur’s multi-platform attacks

Date of Scan: 12/06/24

Impact: High

Summary:
Since 2019, we have been monitoring the activity of the MOONSHINE exploit kit. During our research, we uncovered a server with poor operational security, exposing its toolkits, operation logs, potential victim data, and the tactics of the threat actor Earth Minotaur. Initially targeting the Tibetan and Uyghur communities, MOONSHINE exploits vulnerabilities in Android instant messaging apps to implant backdoors. By 2024, at least 55 MOONSHINE exploit kit servers were identified, featuring updated vulnerabilities and enhanced protection against analysis, and it remains actively used by threat actors.

More Details

12/05/24
Gafgyt malware broadens its scope in recent attacks
High

Intel Name: Gafgyt malware broadens its scope in recent attacks

Date of Scan: 12/05/24

Impact: High

Summary:
The Gafgyt malware (also known as Bashlite or Lizkebab) has recently been observed targeting publicly exposed Docker Remote API servers. Traditionally focused on IoT devices, Gafgyt is now expanding its scope. Attackers exploit misconfigured Docker APIs to deploy the malware by creating containers using legitimate “alpine” Docker images. Once deployed, the malware enables attackers to infect victims and launch DDoS attacks against targeted servers.

More Details

12/04/24
Unveiling revc2 and venom loader
High

Intel Name: Unveiling revc2 and venom loader

Date of Scan: 12/04/24

Impact: High

Summary:
Between August and October 2024, ThreatLabz identified campaigns deploying two new malware families: RevC2 and Venom Loader. These were distributed via Venom Spider’s malware-as-a-service (MaaS) tools. RevC2 utilizes WebSockets for command-and-control (C2) communication and is capable of stealing cookies and passwords, proxying network traffic, and enabling remote code execution (RCE). Venom Loader, a custom malware loader, encodes its payload using the victim’s computer name for a tailored attack.

More Details

Powering REVEAL: The Dynamic Security Analytics Platform

REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.

REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.

Learn More