An enigmatic activity cluster has taken flight, casting its shadow across industries far and wide. Principal Malware Analyst Christina Johns takes a look at Red Canary’s most prevalent threat of 2023, Charcoal Stork, and what organizations need to look out for in their environments.
What is Charcoal Stork?
Charcoal Stork is a suspected pay-per-install (PPI) content provider that’s responsible for the malvertising or the search engine optimization (SEO) that gets the user (otherwise known as the victim) to download its affiliate’s malware.
Why does it matter?
There are multiple ways in which Charcoal Stork serves as a delivery mechanism for a variety of malware families, one of which is via browser hijacker. While initially a browser hijacker might not seem very glamorous, the volume of these downloads that we saw just made it impossible to ignore. We weren’t always sure if the payload would be ChromeLoader or if it were to evolve into something different or more insidious. So, we tracked it to make sure we kept an eye on what Charcoal Stork was delivering.
How is it different from ChromeLoader and SmashJacker?
Charcoal Stork is responsible for the delivery and installation of ChromeLoader and other payloads. While the payload filenames vary according to the advertised lure—which include wallpapers, cracked games or software—we often see a default filename of install or your file is ready to download. A single Charcoal Stork EXE hash may have dozens of different filenames all pointing back to the same installer. A lot of times with reporting, we saw this all listed as ChromeLoader because for a long time the installers always led to ChromeLoader. But, in 2023, we started seeing additional payloads, like SmashJacker. And in August, we also saw Charcoal Stork delivering VileRAT, which is a Python remote access trojan (RAT).
Are we observing a target industry?
We see it in a wide range of industries, from professional, scientific, and technical services, to manufacturing and healthcare.
What can defenders do about this threat?
For Charcoal Stork specifically—because we define it as a suspected PPI provider—there’s not much defenders can do to prevent delivery via SEO except for ad blocking (for malvertising protection) and doubling-down on user education. These adversaries are very good at social engineering, so there’s always going to be somebody that clicks. So beyond that, I’d recommend defenders pay attention to what payloads Charcoal Stork is delivering (i.e., ChromeLoader, SmashJacker, and VileRAT) and study their associated TTPs. This will help your team better identify related activity once it’s run in your environment.