⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
July gave us some newcomers to the top 10 prevalent threats for the month. One of which, AdSearch, rocketed to the top of the list. RedLine made a big move, from top 30 to tie for eighth place with Raspberry Robin. Shlayer reclaimed fourth place after being out of the top 10 since April. Yellow Cockatoo activity increased as SocGholish’s decreased, continuing a previously seen seesaw pattern (though we aren’t aware of any causal relationship between these two threats). SocGholish has become less prominent than other threats as we move farther into 2022, after hitting number 1 in both January and March earlier this year. Qbot activity, last month’s number 1 threat, steeply declined. Qbot historically cycles between periods of intense activity followed by quiet near-dormancy.
Searching for AdSearch
While AdSearch is new to the top 10, it is not new to Red Canary. We began seeing this cluster of activity a few months ago, and started documenting it. AdSearch entered our official threat rankings in July, claiming the top spot.
AdSearch is an executable payload spread via malvertising links with enticing ads that trick unsuspecting Windows users into downloading an ISO file. The AdSearch binary, often called
Your File Is Ready To Download.iso, is a NW.js app that contains HTML, NodeJS, and a Chromium browser instance that persistently executes on an infected host. Public posts by infected users discuss how the AdSearch browser redirects them to sites they did not intend to visit. We have also observed ChromeLoader delivered using similar methods, though we track that as a different payload than AdSearch. Recent reporting by Palo Alto’s Unit 42 suggests that AdSearch may be related to what they track as “Variant 2” of ChromeLoader, however at Red Canary we currently track these threats separately due to significant differences in behavior following the initial ISO delivery. At this time, the objective behind AdSearch remains unclear.
cmd.exe opening a batch script (BAT) file from the root of an external drive
The following pseudo-detection analytic looks for execution of a BAT file stored in the AdSearch ISO. The file is created in the root of an external drive using the next logical drive letter for that host. The BAT file can go on to launch
reg.exe as child processes; tar.exe to unzip payloads, and reg.exe to add a registry run key for persistence. Since legitimate BAT files may also execute from external drives, additional review may be needed to determine if this is malicious behavior.
child_process == (
Note: The drive letter could be any drive letter, [
A-Z] is a placeholder for the next logical drive letter.