Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for July 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description: Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites |
| Last month's rank: ⬆ 2 | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 3 | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬇ 4 | Threat name: | Threat description: Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
| Last month's rank: ➡ 5 | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 6 | Threat name: | Threat description: Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬆ 7* | Threat name: Adload | Threat description: macOS malware that attempts to hijack and redirect user web browsing traffic |
| Last month's rank: ⬆ 7* | Threat name: Conficker | Threat description: Ancient NetBIOS and USB worm that has plagued the internet since 2008. What is dead may never die. |
| Last month's rank: ⬇ 7* | Threat name: Dock2Master | Threat description: macOS ad fraud activity that has led to downloads of other macOS malware, such as Shlayer |
| Last month's rank: ⬆ 7* | Threat name: | Threat description: Dropper/downloader, often distributed through search engine redirects |
| Last month's rank: ⬆ 7* | Threat name: | Threat description: Penetration testing framework used to probe systematic vulnerabilities on networks and servers and conduct post-exploitation activity on compromised hosts |
| Last month's rank: ⬆ 7* | Threat name: More_eggs | Threat description: JScript backdoor sold by a malware-as-a-service (MaaS) provider |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Our overall threat volume dipped a bit in July and contributed to a reshuffling of the top 10. Several of our usual suspects, like Gamarue, moved up in the rankings despite a slight downtick in the number of environments affected. The lower overall numbers allowed threats that maintain a constant low level of noise just outside the top 10, like Conficker and Adload, to creep into the bottom of the rankings.
Another newcomer to this month’s top 10 is More_eggs, a backdoor sold as a service and reportedly favored by the group FIN6. While we encounter More_eggs every few months, July saw a wave of activity at levels we haven’t seen since late 2020. Adversaries leveraging More_eggs have also historically used ransomware, so early detection of initial access and dropped backdoors is crucial to avoiding a more serious incident. There are a number of opportunities to detect More_eggs activity, including the one below.
Detection opportunity: wmiprvse.exe spawning child processes from a user’s AppData\roaming directory
The following pseudo-detection analytic identifies the Windows Management Instrumentation (WMI) Provider Host (wmiprvse.exe) spawning child processes from a user’s AppData\roaming directory. Threats such as More_eggs, will use directories like AppData\roaming to download and store binaries. It is highly unusual for WMI to spawn legitimate processes from a user’s roaming directory.
process == (wmiprvse.exe)
&&
command_line_includes == (appdata\roaming)
ChromeLoader and AdSearch: Together at last
Despite the summer swoon by many of our frequent foes, one vaulted right to the top. ChromeLoader‘s rise is not solely due to a surge in adversary activity, but it gained a boost from changes in how Red Canary tracks it.
When ChromeLoader first appeared on the scene in early 2022, we observed different variants of the malware manifesting via distinct TTP clusters in EDR telemetry. For that reason, we initially tracked the clusters separately and chose to distinguish the persistent PowerShell loader for the malicious browser extension—what we originally called ChromeLoader—separately from the persistent NodeJS runtime application that acts similarly to a backdoored ad server—what we originally called AdSearch.
Since most other researchers tracked all of this activity as ChromeLoader, we’ve repeatedly considered the merits of merging the threats into one profile. Additional malware analysis accompanied by directly observed evidence has convinced us to track AdSearch and ChromeLoader together as different aspects of the same threat.
Intelligence-driven hunting for BlackLotus
In June 2023, the NSA published an advisory and mitigation guide about BlackLotus, a Unified Extensible Firmware Interface (UEFI) bootkit. UEFI is a specification that defines a platform’s boot firmware and its interface for interacting with the system. BlackLotus places an older Windows boot loader firmware binary into the boot partition. This binary is designed to bypass UEFI Secure Boot controls and persist at the earliest boot stage of a Windows system.
Red Canary’s Threat Hunting and Intelligence teams assessed BlackLotus as a significant threat and prioritized further investigation. Key investigative questions included “what does the initial infection vector look like?” and “how does the adversary mount an EFI system partition in order to write malicious EFI files to it?” Our Intelligence team conducted OSINT research and malware analysis to answer these questions and create a new BlackLotus Intelligence Profile. Our Threat Hunting team then used that intelligence to drive hunts across customer environments.
Since “threat hunting” is a nebulous term, we want to share more about what the process looks like at Red Canary and how threat intelligence can help in a hunt. We started this hunt with the following goals—some of which we achieved, and some that we didn’t—a normal and expected outcome when hunting:
- Actively hunt in customer environments for suspicious behavior and BlackLotus indicators.
- We didn’t find evidence of BlackLotus in any environments.
- Identify additional detection opportunities for BlackLotus activity.
- We identified multiple detection opportunities that we shared with the Detection Engineering team to turn into detection analytics.
- Create repeatable and high-fidelity hunting queries for BlackLotus.
- We crafted several hunting queries that we’re sharing below.
- Note and share with customers any misconfigurations or vulnerabilities found while looking for BlackLotus.
- We did not find any during this hunt.
Here are a few of the high-fidelity BlackLotus queries written by our Threat Hunting team. The target platform for this query syntax is Carbon Black Cloud, but they can be modified to suit your platform as needed.
EFI files known to be abused by BlackLotus: winload.efi, bootmgr.efi, bootmgfw.efi, grubx64.efi
(filemod_name:efi\/microsoft\/boot\/winload.efi OR filemod_name:efi\/microsoft\/boot\/bootmgr.efi OR filemod_name:efi\/microsoft\/boot\/bootmgfw.efi OR filemod_name:efi\/microsoft\/boot\/grubx64.efi)
Directories abused by BlackLotus: ESP:/EFI/Microsoft/Boot/ and ESP:/system32/
These queries are looking for the directories on drives that are not C:\*:
filemod_name:\/\/\?\/volume\{*\}\/System32\/*filemod_name:\/\/\?\/volume\{*\}\/efi\/microsoft\/boot\/*.efi AND NOT process_name:tiworker.exefilemod_name:/([d-zD-Z]*\:\/system32\/.*)|([d-zD-Z]*\:\/efi\/microsoft\/boot\/.*\.efi)/
A signer associated with the Higurashi “When They Cry” anime series
process_product_name:"When They Cry*" OR process_company_name:"When They Cry*" OR process_product_name:"Higurashi*" OR process_company_name:"Higurashi*"