Happy June! We have been working on some improvements to the Intelligence database page.

What's New?

• Unified filter system: Say goodbye to scattered filters! We've introduced a centralized filter menu that works for both Objects and Observables. Click "F" and navigate with your keyboard with ease.
  

• Show/Hide columns: Tired of seeing columns with information that do not matter to your specific usecase? You can now choose which columns you want to see/enable by using the show/hide columns on the top right of the table.
  

• Drag & drop reordering: Like things your way? Drag and drop columns to organize them however you like. ️

• Default pagination: We've increased the default number of items shown per page to 25 for easier browsing.

And that's not IT. You can now have a quick overview of the telemetry data directly from the Intelligence table. When searching for a list of observables, quickly determine if what you're looking for has already been seen in Sekoia, either locally (in your Workspace) or globally (from all our clients).

To enable it, click on the "Columns" button and select Global and Workspace Telemetry.
We recommend you disable columns you don't use to ease navigation.

We are thrilled to introduce a new feature that enhances your ability to provide valuable feedback and improve the accuracy of Sekoia's indicators!

What's New?

You can now easily report potential false positives directly within Sekoia. This feature is available in two convenient locations:

• Alerts: When reviewing an alert triggered by an indicator, you can now directly report it as a false positive within the alert details. Keep in mind that alerts are automatically closed if the indicator is revoked.
  

• Intelligence Database (Object Details): While viewing a CTI object in the Intelligence Database, you'll see a new option to flag the indicator as a potential false positive.
  

What happens after you request the revocation of an IOC?

Once you submit your request for revocation, a Zendesk ticket is automatically created, and both our Product Expertise and Support (PES) team and the Threat Detection and Research team are notified.

They review the request within few days and determine whether the IOC should be revoked. If it's the case, you will be notified.

This new feature not only helps you maintain a more accurate threat intelligence system but also contributes to the overall improvement of Sekoia’s reliability and performance.

Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added mostly cyber criminal threats sold on underground forums:

• RATs and backdoors: AllaKore, Black RAT, Gh0stRAT, L3mon, LPEClient, OxtaRAT, RShell, SombRAT, Xeno RAT, XploitSpy;
• Downloaders, droppers and loaders: BrbBot, HanaLoader, Latrodectus, LazarLoader, LetMeOut, SigLoader, SmartLoader, SSLoad;
• Infostealers and spywares: ACR Stealer, DOSTEALER, Easy Stealer, IconicStealer, KrakenKeylogger, NimGrabber, Nova Stealer, Pegasus, PureLog, Typhon Stealer.

Sekoia.io proactively monitors new threats and invites you to read our latest blogpost about Mallox affiliate leveraging PureCrypter!

Sekoia.io proactively monitors new threats and invites you to read our latest blog post on Mallox affiliate leveraging PureCrypter in MS-SQL exploitation campaigns, both malware monitored by our OSINT collection playbooks.

Sekoia.io analysts conducted an in-depth analysis of the emerging Tycoon 2FA Attack-in-The-Middle (AiTM) Phishing-as-a-Service (PhaaS). Tycoon 2FA became widespread in the months following its release and is currently massively used in numerous phishing campaigns.

In this FLINT, we present an in-depth analysis of Tycoon 2FA and the recent developments we spotted in the phishing kit. Additionally, this report provides tracking opportunities to actively monitor the infrastructure and mitigate risks associated with Tycoon 2FA. We also share details on our investigation of the Bitcoin transactions allegedly attributed to "Saad Tycoon Group".

Related resources:

• FLINT 2024-011 - Tycoon 2FA: an in-depth analysis of the latest version and its enhanced stealth capabilities
• Tycoon 2FA malware page

Sekoia.io analysts published an overview detailing the activities of Scattered Spider, a lucrative intrusion set engaged in social engineering, ransomware, extortion campaigns, and other advanced techniques.

In this report, we provide our analysis of the progressive evolution of the intrusion set's modus operandi, motivations, victimology, and Tactics, Techniques, and Procedures (TTPs). Over the past years, Scattered Spider's operational strategy shifted significantly from targeted phishing to the deployment of BlackCat ransomware, resulting in an expansion of their arsenal and adjustments of their targeting.

We actively tracked the dedicated phishing infrastructure, enabling us to monitor the recent campaigns and changes in their targeting.

Related resources:

• FLINT 2024-005 - Scattered Spider laying new eggs
• Scattered Spider intrusion set page

Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox.

This time, we have mostly added cybercrime threats:

• Android trojan: SMSAgent, TangleBot and WipeLock;
• Infostealers and spyware: EpsilonStealer and EasyStealer;
• Ransomware: Rhysida ransomware and GhostLocker.

Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox.

This time, we have mostly added cybercrime threats:

• RATs and backdoors: Borat RAT, ChaosRat, Gh0stRat, Octopus, More_eggs, Viper;
• Droppers and downloaders: FakeUpdateRU, Godzilla Loader, CloudEyE;
• Infostealers and spyware: BadBazaar, ClipBanker, CrealStealer, Hydra and Serpent Stealer.

Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, it includes the following threats:

• Remote access trojans: GoldDigger, Millenium RAT, Sakula RAT, Venom RAT, Viper RAT, Xtreme RAT, 888RAT;
• Infostealers: Epsilon Stealer, Luna Grabber, PureLogs (aka zgRAT), Realst;
• Other threats, including ClearFake, TA577, GoShellcode, Socks5Systemz.

Sekoia.io proactively monitors new "fake updates" threats and malware they deliver. If you want to know more about the newcomer "fake updates" threat ClearFake, you can read our analysis in the blogpost on ClearFake!

Sekoia.io analysts conducted an in-depth analysis of the emerging Dadsec Attack-in-The-Middle (AiTM) Phishing-as-a-Service (PhaaS). The Dadsec OTT platform quickly became widespread and used in numerous phishing campaigns, including the trendy and evasive QR code phishing attacks. Dadsec OTT phishing pages mainly aim to harvest Microsoft 365 session cookies to bypass the MFA process during subsequent authentication.

We published results of our analysis in the FLINT FLINT 2023-043 - Dadsec OTT: a new prevalent PhaaS using AitM phishing aiming at presenting the context about the threat, how the Dadsec phishing kit works, as well as tracking and detection opportunities related to this threat.

Related resources:

• FLINT 2023-043 - Dadsec OTT: a new prevalent PhaaS using AitM phishing
• Dadsec malware page

Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, it includes the following threats:

• Infostealers: Agniane, Bandit Stealer, Blank Grabber, Creal Stealer, Mystic, PovertyStealer, RisePro, WhiteSnake Stealer;
• Loaders: Astasia, DarkGate, DiceLoader (aka Lizar);
• Threats directly linked to threat groups: TeamSpy, 8220 Gang, TA544;
• Bots: ExoBot, SupremeBot, Socks5Systemz.

Sekoia.io proactively monitors new widespread malware and we invite you to read our FLINT about ClearFake, a new "fake updates" threat!

Sekoia.io analysts investigated ClearFake, a new malicious JavaScript framework deployed on compromised websites to deliver further malware using the drive-by download technique. ClearFake is another “fake updates” threat leveraging social engineering to trick the user into running a fake web browser update, as for SocGholish and FakeSG malware.

We analysed in depth ClearFake and shared the results of our investigation in the FLINT 2023-037 (ClearFake: a newcomer to the "fake updates" threats landscape). It aims at presenting a technical analysis of the ClearFake installation flow, the malware delivered by ClearFake, the C2 infrastructure and tracking opportunities.

Related resources:

• FLINT 2023-037 - ClearFake: a newcomer to the "fake updates" threats landscape
• ClearFake malware page

Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) as well as analysis of Hatching Triage sandbox. This time, we have added mostly cyber criminal threats sold on underground forums:

• Infostealers: AcridRain, AllcomeClipper, DynamicStealer, Fabookie, Icarus, Loda, Meduza, RisePro;
• Loaders or botnets: CustomerLoader, DarkGate, HoraBot, Lu0bot, SocGholish (aka FakeUpdates);
• Ransomware: Djvu (aka STOP), TargetCompany (aka Mallox);
• Remote access trojans: JanelaRAT, Parallax.

Sekoia.io proactively monitors new loaders, as well as the malware downloaded in next-stage payload. If you want to know more about the newly discovered loader CustomerLoader, you can read our analysis in the blogpost on CustomerLoader!

Sekoia.io analysts published a FLINT which introduces our tracking methodology for the prevalent infostealer families. It also presents the number of active C2 servers detected in recent weeks and our analysis of the infostealer trends.

In the report, we shared our tracking methods based on server fingerprinting and pattern searching, for the most widespread infostealers sold as Malware-as-a-Service: Lumma, Mystic, Raccoon, Rhadamanthys, RisePro, Stealc and Vidar.

The detailed heuristics are used to proactively collect exclusive IoCs and provide our customers with actionable intelligence. Their results can be found in the Intelligence Center under the "Sekoia.io C2 Tracker" source.

Related resources:

• FLINT 2023-033 - Tracking the C2 infrastructures of the prevalent infostealer families

When Sekoia.io analysts are coming across new or trendy threats (malware, threat groups, phishing, etc.), we generally try to find heuristics to track their infrastructure. This proactive hunting approach allows us to collect exclusive indicators of compromise (IoCs) on a weekly basis. In recent weeks, we have added Command & Control (C2) trackers for:

• Newly supervised threats: KeepSpy, Bandit Stealer, Meduza Stealer, Observer Stealer, AndoryuBot;
• Already tracked threats: Ducktail, CryptBot, Stealc, Lumma Stealer, PikaBot, SideWinder, phishing infrastructure.

IoCs collected from these trackers can be found in the Sekoia.io Intelligence Center by filtering on the source "Sekoia.io C2 Tracker". If you want to know more about the above-mentioned threats, please visit their card and their model made by the analysts!

Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added mostly cybercrime threats sold on underground forums:

• Information stealers: AllcomeClipper, Bebra Stealer (aka XoCreator), Ducktail, Dynamic Stealer, Fabookie, Icarus, Invicta, Loda, Meduza, RisePro, Strela;
• Other malware: DynamicRAT, HoraBot, Lu0bot.

Sekoia.io proactively monitors new widespread malware and we invite you to read our FLINT about CustomerLoader!

Sekoia.io analysts identified an undocumented .NET loader aimed at downloading, decrypting and executing next-stage payloads. In early June 2023, this new loader was actively distributed by multiple threat actors using malicious phishing emails, YouTube videos and web pages impersonating legitimate websites.

We analysed in depth CustomerLoader and shared the results of our investigation in the FLINT 2023-029 (CustomerLoader: a new malware distributing a wide variety of payloads). It aims at presenting a technical analysis of CustomerLoader, an overview of more than 30 known and distributed malware families, and details on three infection chains observed distributing the loader.

Related resources:

• FLINT 2023-029 - CustomerLoader: a new malware distributing a wide variety of payloads
• CustomerLoader malware page

Each month SEKOIA.IO updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added:

• New or recent information stealers: Atomic MacOS Stealer (aka AMOS), WhiteSnake (aka Gurcu);
• Android trojans: Chameleon, DAAM, FakeCalls, XploitSpy;
• Remote access trojans: Lime RAT, RomCom RAT, Rok RAT, Running RAT, Spark RAT, Vanilla RAT;
• And other malware families, including Domino backdoor, PoshC2, Play ransomware;

SEKOIA proactively monitors new malware advertised on underground forums or Telegram channels, as well as the threat groups operating them. If you want to know more about these malware families, read the associated malware object in the SEKOIA.IO Intelligence Center.

With Telemetry on Objects you now can have a valuable insights that can help you make more informed decisions. With this feature, you can instantly view how many times an IoC has been spotted within your workspace or on the Sekoia.io platform. This level of visibility can be crucial in identifying potential threats and vulnerabilities, allowing you to take proactive measures to mitigate risks.

Sekoia.io proactively monitors emerging ransomware, intrusion sets distributing them and threat actors launching new ransomware operations. Sekoia.io’s Intelligence Center is regularly updated with tactical, operational and strategic intelligence on these threats.

In recent months, we observed a surge in newly launched ransomware operations. Here are some of the most prominent ransomware distributed in financially motivated campaigns since early 2023:

• Abyss Locker
• Akira
• BlackBit
• Cactus
• CrossLock
• CryptNet
• DarkPower
• Dodo
• ESXiArgs
• Honkai Paradise
• Masons
• Money Message
• MortalKombat
• Nevada
• RA Group
• Rancoz
• TZW Ransomware
• Uniza

Of note, besides these newly launched ransomware operations, Sekoia.io also closely monitors the new variants, as well as the new distribution methods of known ransomware.

If you want to know more about these threats, read the associated malware, intrusion set and threat actor objects in the Sekoia.io Intelligence Center.

TDR analysts released a report analysing the evolution of the TA505 intrusion set activities over time. We focused on three early 2023 campaigns attributed to TA505, involving the exploitation of zero-day vulnerabilities in GoAnywhere and PaperCut software, as well as the wide distribution of the LOBSHOT malware using Google Ads.

From our observations, TA505 shows increased activity since early 2023, featuring an ever-changing set of techniques and malware arsenal.

Related resources:

• FLINT 2023-026 - TA505: a sophisticated and evolving intrusion set
  
• TA505 intrusion set page
• Clop malware page

Each month Sekoia.io updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added mostly cyber criminal threats sold on underground forums:

• Information stealers: Prynt, SectopRAT, CopperStealer, DUCKTAIL, EvilExtractor, Nemesis, ZStealer, zgRAT;
• Some Android malware such as SpyNote or Godfather;
• And other threats such as the TA570 group (Qbot malware affiliates),
• Ransomware and droppers such as Royal Ransom, AresLoader and NetDooka.

Sekoia.io proactively monitors new information stealers and we invite you to read our latest blogpost about Russian-speaking infostealer ecosystem!

Each month SEKOIA.IO updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added:

• New or recent information stealers: Lumma, Fabookie, Stealc, Ginzo, PennyWise, Enigma, etc.;
• Android banking trojans: Nexus, Godfather, SOVA, HookBOT, Alien, etc.;
• Recent ransomware: Mimic, Hydracrypt;
• And other malware families, including Pikabot, Sliver, Gh0st RAT;

SEKOIA proactively monitors new malware advertised on underground forums or Telegram channels, as well as the threat groups operating them. If you want to know more about these malware families, read the associated malware object in the SEKOIA.IO Intelligence Center.

Each month SEKOIA.IO updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we added:

• Some new or recent information stealers: Stealc, Titan Stealer, ViperSoftX, BlackCap Grabber;
• Active intrusion sets: the Akur Group (pro-Russian hacktivists), the TA558 threat group;
• Havoc, a post-exploitation C2 framework available on GitHub;
• Other threats leveraged by cybercriminals or APT groups: Phonk cryptominer, Rshell RAT;

SEKOIA proactively monitors new information stealers and we invite you to read our latest blogposts about Stealc!

References:

• Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 1
• Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity – Part 2

SEKOIA.IO analysts uncovered a new infostealer advertised by its alleged developer as Stealc since January 2023. We associated to this stealer malware samples of a new infostealer family spread in the wild.

We analysed in depth Stealc stealer and shared the results of our investigation in the FLINT 2023-012 (Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity - Part 1). SEKOIA.IO will publish a write-up focused on the reverse engineering of Stealc.

Related resources:

• FLINT 2023-012 - Stealc: a copycat of Vidar and Raccoon infostealers gaining in popularity - Part 1
• Stealc malware page

When SEKOIA.IO analysts are coming across new or trendy threats (malware, threat groups, phishing, etc.), we generally try to find heuristics to track their infrastructure. This proactive hunting approach allows us to collect exclusive indicators of compromise (IoCs) on a weekly basis. In recent weeks, we have added Command & Control (C2) trackers for:

• Newly supervised threats: HookBot, new SEO poisoning infrastructures typosquatting notorious software;
• Already tracked threats: FakeUpdates, Magniber, Aurora, Vidar, Lumma.

IoCs collected from these trackers can be found in the SEKOIA.IO Intelligence Center by filtering on the source "SEKOIA C2 Tracker". If you want to know more about the above-mentioned threats, please visit their card and their model made by the analysts!

Each month SEKOIA.IO updates the configuration of its collection playbooks to automatically gather Indicators of Compromise (IoCs) of new threats. Our collection playbooks are aggregating, enriching and contextualising IoCs from community threat intelligence feeds (URLhaus, ThreatFox, and others) and analysis of Hatching Triage sandbox. This time, we have added:

• Some new or recent information stealers: Mint Stealer, DarkCloud Stealer, Rhadamanthys, Astaroth;
• Remote Access Trojans: XWorm, Bitter RAT, LodaRAT, Gh0stRAT, Running RAT, ReverseRAT, NetSupport RAT;
• And other malware families: Spyder, RapperBot, Deimos, CryCryptor.

SEKOIA.IO already tracked several of these threats by using internal tools, such as SEKOIA C2 Tracker or SEKOIA YARA Tracker. You can find the associated exclusives IoCs by browsing the malware pages in the Intelligence Center.

SEKOIA.IO analysts highlighted the trends related to ransomware activity in the second half of 2022.

The ransomware threat marked a very high level since mid-2022, similar to the previous year. During the last six months, ransomware groups incresingly adopted new TTPs such as callback phishing, intermittent encryption and rewriting malware code in new languages to enhance their capabilities.

From our observations, the democratisation of the ransomware threat reached an almost unprecedented level. This is reflected by ransomware operators delegating some tasks to other threat actors such as Initial Access Brockers, fraudulent call centre operators and pentesters hired on cybercrime forums.

We shared our analysis in the FLINT 2023-009 - S2 2022 Ransomware Threat Landscape.

When SEKOIA.IO analysts are coming across new or trendy threats (malware, threat groups, phishing, etc.), we generally try to find heuristics to track their infrastructure. This proactive hunting approach allows us to collect exclusive indicators of compromise (IoCs) on a weekly basis. In recent weeks, we have added Command & Control (C2) trackers for:

• Newly supervised threats: Cryptocurrency phishing, WhiteSoftware websites and SEO poisoning infrastructures, TrueBot, Cova, Nosu, RedWarden, Squarephish, ChaosRAT, DuckLogs;
• Already tracked threats: Aurora, BatLoader, FakeUpdates, Callisto, Evilginx2, PrivateLoader.

IoCs collected from these trackers can be found in the SEKOIA.IO Intelligence Center by filtering on the source "SEKOIA C2 Tracker". If you want to know more about the above-mentioned threats, please visit their card and their model made by the analysts!