Primary threat research from Elastic Security Labs

6 May 2023

Now available: The LLM safety assessment

Check out the newest report from Elastic Security Labs, which explores how you can protect your organization from LLM threats.

Featured

Dipping into Danger: The WARMCOOKIE backdoorby Daniel Stepanic12 June 2024

Protecting your devices from information theftby Asuka Najakima30 May 2024

Globally distributed stealersby Salim Bitam, Daniel Stepanic, Terrance DeJesus, Samir Bousseaden24 May 2024

Invisible miners: unveiling GHOSTENGINE’s crypto mining operationsby Salim Bitam, Samir Bousseaden, Terrance DeJesus, Andrew Pease22 May 2024

Follow Elastic Security Labs on Twitter Subscribe to the newsletter

Security Research

View all

30 May 2024

Protecting your devices from information theft

In this article, we will introduce the keylogger and keylogging detection features added this year to Elastic Defend (starting from version 8.12), which is responsible for endpoint protection in Elastic Security.

5 April 2024

500ms to midnight: XZ / liblzma backdoor

Elastic Security Labs is releasing an initial analysis of the XZ Utility backdoor, including YARA rules, osquery, and KQL searches to identify potential compromises.

20 March 2024

Unveiling malware behavior trends

An analysis of a diverse dataset of Windows malware extracted from more than 100,000 samples revealing insights into the most prevalent tactics, techniques, and procedures.

23 February 2024

Monitoring Okta threats with Elastic Security

This article guides readers through establishing an Okta threat detection lab, emphasizing the importance of securing SaaS platforms like Okta. It details creating a lab environment with the Elastic Stack, integrating SIEM solutions, and Okta.

Malware Analysis

View all

12 June 2024

Dipping into Danger: The WARMCOOKIE backdoor

Elastic Security Labs observed threat actors masquerading as recruiting firms to deploy a new malware backdoor called WARMCOOKIE. This malware has standard backdoor capabilities, including capturing screenshots, executing additional malware, and reading/writing files.

24 May 2024

Globally distributed stealers

This article describes our analysis of the top malware stealer families, unveiling their operation methodologies, recent updates, and configurations. By understanding the modus operandi of each family, we better comprehend the magnitude of their impact and can fortify our defences accordingly.

16 May 2024

Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID

Elastic Security Labs has observed an uptick in a recent emerging loader known as LATRODECTUS. This lightweight loader packs a big punch with ties to ICEDID and may turn into a possible replacement to fill the gap in the loader market.

10 May 2024

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

In previous articles in this multipart series, malware researchers on the Elastic Security Labs team decomposed the REMCOS configuration structure and gave details about its C2 commands. In this final part, you’ll learn more about detecting and hunting REMCOS using Elastic technologies.

Campaigns

View all

24 February 2024

PIKABOT, I choose you!

Elastic Security Labs observed new PIKABOT campaigns, including an updated version. PIKABOT is a widely deployed loader malicious actors utilize to distribute additional payloads.

21 June 2023

Initial research exposing JOKERSPY

Explore JOKERSPY, a recently discovered campaign that targets financial institutions with Python backdoors. This article covers reconnaissance, attack patterns, and methods of identifying JOKERSPY in your network.

9 June 2023

Elastic charms SPECTRALVIPER

Elastic Security Labs has discovered the P8LOADER, POWERSEAL, and SPECTRALVIPER malware families targeting a national Vietnamese agribusiness. REF2754 shares malware and motivational elements of the REF4322 and APT32 activity groups.

2 March 2023

PHOREAL Malware Targets the Southeast Asian Financial Sector

Elastic Security discovered PHOREAL malware, which is targeting Southeast Asia financial organizations, particularly those in the Vietnamese financial sector.

Groups & Tactics

View all

22 May 2024

Invisible miners: unveiling GHOSTENGINE’s crypto mining operations

Elastic Security Labs has identified REF4578, an intrusion set incorporating several malicious modules and leveraging vulnerable drivers to disable known security solutions (EDRs) for crypto mining.

15 March 2024

Sinking macOS Pirate Ships with Elastic Behavior Detections

This research looks at a recently found macOS malware campaign using the macOS Endpoint Security Framework paired with the Elastic Agent to hunt and detect the behaviors this malware exhibits.

31 January 2024

Unmasking a Financial Services Intrusion: REF0657

Elastic Security Labs details an intrusion leveraging open-source tooling and different post-exploitation techniques targeting the financial services industry in South Asia.

1 November 2023

Elastic catches DPRK passing out KANDYKORN

Elastic Security Labs exposes an attempt by the DPRK to infect blockchain engineers with novel macOS malware.

Perspectives

25 August 2023

Forget vulnerable drivers - Admin is all you need

Bring Your Own Vulnerable Driver (BYOVD) is an increasingly popular attacker technique whereby a threat actor brings a known-vulnerable signed driver alongside their malware, loads it into the kernel, then exploits it to perform some action within the kernel that they would not otherwise be able to do. Employed by advanced threat actors for over a decade, BYOVD is becoming increasingly common in ransomware and commodity malware.

GenerativeAI

View all

6 May 2024

Elastic Advances LLM Security with Standardized Fields and Integrations

Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.

25 April 2024

Embedding Security in LLM Workflows: Elastic's Proactive Approach

Dive into Elastic's exploration of embedding security directly within Large Language Models (LLMs). Discover our strategies for detecting and mitigating several of the top OWASP vulnerabilities in LLM applications, ensuring safer and more secure AI-driven applications.

29 September 2023

Accelerating Elastic detection tradecraft with LLMs

Learn more about how Elastic Security Labs has been focused on accelerating our detection engineering workflows by tapping into more generative AI capabilities.

19 September 2023

Using LLMs and ESRE to find similar user sessions

In our previous article, we explored using the GPT-4 Large Language Model (LLM) to condense Linux user sessions. In the context of the same experiment, we dedicated some time to examine sessions that shared similarities. These similar sessions can subsequently aid the analysts in identifying related suspicious activities.

Tools

View all

9 February 2024

STIXy Situations: ECSaping your threat data

Structured threat data is commonly formatted using STIX. To help get this data into Elasticsearch, we’re releasing a Python script that converts STIX to an ECS format to be ingested into your stack.

13 June 2023

Into The Weeds: How We Run Detonate

Explore the technical implementation of the Detonate system, including sandbox creation, the supporting technology, telemetry collection, and how to blow stuff up.

4 May 2023

Click, Click… Boom! Automating Protections Testing with Detonate

To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.

4 May 2023

Unpacking ICEDID

ICEDID is known to pack its payloads using custom file formats and a custom encryption scheme. We are releasing a set of tools to automate the unpacking process and help analysts and the community respond to ICEDID.