top of page

New SNSLocker Variant Discovered by Securonix

The Securonix Threat Research Team has identified new ransomware and credential stealing activity related to the Coronavirus pandemic, taking advantage of remote workforce environments. Securonix published the research this morning on their blog.

Findings include a new weaponized Word document ransomware, which is a variant of SNSLocker and is pushed to users through a malicious COVID-19 situation report. Once a user opens the document, sensitive data is immediately encrypted and payment instructions are provided.

The Threat Research Team also discovered a new malicious credential stealer implant that is pushed through different types of e-mails, including a fake COVID-19 infection notification e-mail and a COVID-19 relief e-mail. The implant steals cryptocurrency wallets and exfiltrates stolen information, among other malicious activities.

Within the findings report blog, Securonix provides detailed recommendations on combating these advanced threats and remote workforce monitoring. These recommendations are useful for security operations/SOC, IT operations, insider threat teams, and human resources.

Be sure to monitor for the following common red flags:

  • Unusual severity event for your VPN server device

  • Account authentication from a rare geolocation

  • VPN connection from anonymous proxy

  • Connection to a rare domain for a peer group followed by an executable download

  • Landspeed anomaly

  • Emails from typosquatted domain

  • Abnormal number of emails sent to a rare external recipient

  • Abnormal amount of data sent to a rare external recipient

  • Unusual VPN session length

  • Unusual amount of data for VPN session compared to peers

  • Unusual sensitive data access increase for a user


bottom of page