Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for March 2024:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ➡ 2 | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬇ 3 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 4* | Threat name: Danabot | Threat description : Modular trojan used by multiple adversaries that is distributed via phishing campaigns, pirated software, and the Fallout exploit kit |
| Last month's rank: ⬆ 4* | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
| Last month's rank: ⬆ 4* | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Last month's rank: ⬇ 7* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬇ 7* | Threat name: | Threat description : JScript dropper/downloader that typically poses as a document containing an "agreement,” often distributed through search engine redirects |
| Last month's rank: ⬆ 7* | Threat name: | Threat description : Penetration testing framework used to probe systematic vulnerabilities on networks and servers to conduct post-exploitation activity on compromised hosts |
| Last month's rank: ⬇ 10* | Threat name: AsyncRAT | Threat description : Open source remote access tool with multiple functions including keylogging and remote desktop control |
| Last month's rank: ⬇ 10* | Threat name: | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Last month's rank: ⬆ 10* | Threat name: Grandoreiro | Threat description : Banking trojan written in the Delphi programming language that primarily targets users in Latin America and other Spanish-speaking countries |
| Last month's rank: ⬆ 10* | Threat name: More_eggs | Threat description : JScript backdoor sold by a malware-as-a-service (MaaS) provider |
| Last month's rank: ⬇ 10* | Threat name: | Threat description : Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
SocGholish moved to the top spot on this month’s most prevalent threat list, the first time it’s reached number 1 since February 2023. Many of the top threats were present on last month’s list, but not all of this month’s threats are carryovers. For instance, Danabot saw a wave of activity that landed it in a three way tie for 4th, the first time the trojan has made the list since September 2023. AsyncRAT, Atomic Stealer, and PlugX all dropped to share a tie for 10th alongside More_eggs, which hasn’t appeared in the top 10 since its debut in August 2023. Also in a tie for 10th is the Grandoreiro banking trojan, another newcomer to the list that you can read more about below.
Hola, Grandoreiro
Grandoreiro is part of a family of banking trojans that primarily targets users in Latin America and Spanish-speaking countries. Grandoreiro malware has been active since at least 2016, and we’ve been tracking it since we first saw it in customer environments in November 2022. Like the other trojans in this malware family, it is written in Delphi and utilizes techniques to evade sandbox analysis.
Grandoreiro is typically distributed via phishing emails containing links that download malicious ZIP files, often with government or financial themes. In one example we observed, the malicious ZIP file presented itself as INFONAVIT-related legal action—INFONAVIT, the Instituto del Fondo Nacional de la Vivienda para los Trabajadores, is the largest mortgage lender in Latin America.
The ZIP contained a malicious binary that initiated outbound network communications and installed follow-on executables. One of those executables, installed in C:\ProgramData, frequently had a filename like ypkwfDriverDetectMastertvDriverRepairPro.exe as seen in this similar sample. The driver-themed executable proceeded to make external network connections, write additional files to disk, and leverage PowerShell to establish persistence via registry run keys.
Interpol recently announced a successful takedown initiative against Grandoreiro operators in early 2024, but given the many variants in the malware family, activity will likely continue.
Holding down the Fortinet vulnerability
On April 8, Red Canary published a blog post sharing details of Fortinet FortiClient EMS vulnerability exploitation that we observed in late March 2024. We detected adversaries exploiting CVE-2023-48788 in order to install unauthorized remote monitoring and management (RMM) tools and PowerShell backdoors on target systems. This activity followed a pattern, beginning with inbound external network connections to the FCMdaemon process and ending with attempts to download and execute RMM tools or PowerShell-based backdoors.
Adversaries like to abuse RMM tools to remotely execute a wide variety of actions on a victim’s endpoint. Since organizations use RMM tools in regular business operations, adversaries can attempt to evade detection for as long as possible by maintaining a veneer of legitimacy.
Updating vulnerable Forticlient EMS installations is the most expedient way to remediate exploitation risk. For organizations that are unable to immediately patch CVE-2023-48788, the post-exploitation activity we’ve observed is detectable via process lineage, network connections, and the presence of unauthorized RMM tools. One example of detectable post-exploitation activity we saw involved PowerShell processes spawning via cmd.exe with sqlservr.exe as a parent process. These PowerShell processes made outbound network connections to unknown IP addresses or domains to download additional tools, which gives us a detection opportunity.
Detection opportunity: PowerShell spawned by suspicious parent processes and making outbound network communications
This pseudo detection analytic identifies PowerShell processes with suspicious process lineage, similar to activity observed following CVE-2023-48788 exploitation. This logic would detect cmd.exe spawning with sqlservr.exe as the parent process and PowerShell as the child process, an atypical combination.
parent_process == (sqlservr.exe)
&&
process == (cmd.exe)
&&
child_process == (powershell.exe)
&&
has_network_connection
Note: This detector may require tuning depending on your environment.
Additionally, organizations should consider how they can mitigate and detect the use of unauthorized RMM tools and backdoors. Application controls like allowlisting and blocklisting are the best way to ensure that adversaries aren’t able to use unauthorized RMM tools in your environment. To learn more about the CVE-2023-48788 exploitation we observed, and for additional detection and mitigation opportunities, see our blog post.