Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. Here’s how the numbers shook out for July 2022:
| July rank | Threat name | Threat description |
|---|---|---|
| July rank: ⬆ 1 | Threat name: Adsearch | Threat description : Persistent executable payload surreptitiously installed via ISO files delivered by malvertising links, similar to ChromeLoader |
| July rank: ➡ 2 | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| July rank: ➡ 3 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| July rank: ⬆ 4 | Threat name: | Threat description : A macOS malware family associated with ad fraud activity through the distribution of adware applications |
| July rank: ➡ 5* | Threat name: | Threat description : Modular banking trojan that primarily functions as a downloader or dropper of other malware; focused on stealing user data and banking credentials; typically distributed through email |
| July rank: ⬆ 5* | Threat name: Metasploit | Threat description : Penetration testing framework with a robust set of tools for exploiting vulnerabilities and executing code on a remote target machine |
| July rank: ⬆ 5* | Threat name: | Threat description : Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
| July rank: ➡ 8* | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| July rank: ⬆ 8* | Threat name: RedLine | Threat description : Information stealer sold on underground forums and used by a variety of adversaries |
| July rank: ⬇10* | Threat name: | Threat description : Open source tool used to identify attack paths and relationships in Active Directory |
| July rank: ⬇ 10* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
July gave us some newcomers to the top 10 prevalent threats for the month. One of which, AdSearch, rocketed to the top of the list. RedLine made a big move, from top 30 to tie for eighth place with Raspberry Robin. Shlayer reclaimed fourth place after being out of the top 10 since April. Yellow Cockatoo activity increased as SocGholish’s decreased, continuing a previously seen seesaw pattern (though we aren’t aware of any causal relationship between these two threats). SocGholish has become less prominent than other threats as we move farther into 2022, after hitting number 1 in both January and March earlier this year. Qbot activity, last month’s number 1 threat, steeply declined. Qbot historically cycles between periods of intense activity followed by quiet near-dormancy.
Searching for AdSearch
While AdSearch is new to the top 10, it is not new to Red Canary. We began seeing this cluster of activity a few months ago, and started documenting it. AdSearch entered our official threat rankings in July, claiming the top spot.
AdSearch is an executable payload spread via malvertising links with enticing ads that trick unsuspecting Windows users into downloading an ISO file. The AdSearch binary, often called Your File Is Ready To Download.iso, is a NW.js app that contains HTML, NodeJS, and a Chromium browser instance that persistently executes on an infected host. Public posts by infected users discuss how the AdSearch browser redirects them to sites they did not intend to visit. We have also observed ChromeLoader delivered using similar methods, though we track that as a different payload than AdSearch. Recent reporting by Palo Alto’s Unit 42 suggests that AdSearch may be related to what they track as “Variant 2” of ChromeLoader, however at Red Canary we currently track these threats separately due to significant differences in behavior following the initial ISO delivery. At this time, the objective behind AdSearch remains unclear.
Detection opportunity: cmd.exe opening a batch script (BAT) file from the root of an external drive
The following pseudo-detection analytic looks for execution of a BAT file stored in the AdSearch ISO. The file is created in the root of an external drive using the next logical drive letter for that host. The BAT file can go on to launch tar.exe and reg.exe as child processes; tar.exe to unzip payloads, and reg.exe to add a registry run key for persistence. Since legitimate BAT files may also execute from external drives, additional review may be needed to determine if this is malicious behavior.
process == cmd.exe
&&
command_line_includes == [A-Z]:\*.bat
&&
child_process == (reg.exe || tar.exe)
Note: The drive letter could be any drive letter, [A-Z] is a placeholder for the next logical drive letter.