Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for November 2022:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 2 | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| Last month's rank: ⬆ 3 | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 4 | Threat name: Zloader | Threat description : Banking trojan with many variants that originally focused on credential theft but in more recent years has delivered pre-ransomware payloads for a number of different ransomware families |
| Last month's rank: ⬆ 5 | Threat name: | Threat description : Modular banking trojan that primarily functions as a downloader or dropper of other malware and is focused on stealing user data and banking credentials; typically distributed through email |
| Last month's rank: ⬆ 6* | Threat name: Remote Utilities | Threat description : Remote administration tool that has been distributed through malicious email attachments that allows remote control, desktop sharing, and file transfers |
| Last month's rank: ⬆ 6* | Threat name: | Threat description : Dropper/downloader, often distributed through search engine redirects |
| Last month's rank: ⬇ 6* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬇ 6* | Threat name: | Threat description : Open source tool used to identify attack paths and relationships in Active Directory |
| Last month's rank: ⬇ 10* | Threat name: | Threat description : Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages |
| Last month's rank: ➡ 10* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
November’s top 10 includes both previously seen threats and previously seen patterns. Qbot saw a steep decline in activity, falling from a two-month stay in the top spot to tie for 10th place with SocGholish. Emotet returned with a burst of intense activity during the first 10 days of November, enough for it to land at number 5 for the month. Remote Utilities cracks the top 10 for the first time since March 2022. It typically lurks just outside the top 10, and its appearance here has more to do with a slight decrease in other threat volume than a sudden increase in Remote Utilities activity.
Yellow Cockatoo returns from hiatus
After a stretch of inactivity beginning in July 2022, we saw Yellow Cockatoo reappear in early November 2022. Yellow Cockatoo—also tracked under the names Jupyter and Solarmarker—has historically paused activity after the release of public information, only to resume activity months later using an updated version of their malware. We assess that the adversary may be experimenting with different distribution methods based on recently observed initial access techniques.
One new Yellow Cockatoo malware variant disguised the malicious download as a legitimate browser update, similar to SocGholish’s distribution techniques. A researcher known as Squiblydoo observed this activity in October 2022. Additionally, researchers have seen a new variant of the malware being distributed using Yellow Cockatoo’s traditional search engine redirect methodology. This technique redirects a user from a legitimate search engine to a site that downloads a malicious binary masquerading as their search term. For example, if you searched for “this is my query,” the malicious binary would be named this-is-my-query.exe.
While the most recent malware version is slightly different from earlier versions, the execution tactics, techniques, and procedures (TTP) are similar. This means that execution-based analytics that have detected Yellow Cockatoo in the past may still catch it now.
Detection opportunity: PowerShell creating LNK files within a startup directory
The following pseudo-detection analytic identifies PowerShell creating LNK files in a startup directory. Malware like Yellow Cockatoo can be introduced as a fake installer binary, resulting in malicious PowerShell script execution. Some benign homegrown utilities or installers may create .lnk files in startup locations, so additional investigation of the activity may be necessary.
process == (powershell)
&&
filetype == (.lnk)
&&
filepath_includes == (start menu\programs\startup)
&&
command_line_does_not_include == (*)
Note: * is a placeholder for approved utilities or installers in your environment that also create .lnk files in startup locations
Gootloader malware changes TTPs for evasion
In November 2022, Red Canary observed changes in the TTPs associated with the execution of Gootloader malware. Gootloader is a malicious downloader that is often followed by hands-on-keyboard activity in enterprise environments. The new tradecraft, observed during the first two weeks of November, included changes to persistence mechanisms and changes in the way Gootloader uses PowerShell to execute commands. We’ve updated our Gootloader blog to reflect the new TTPs, which we have also briefly summarized below.
In the newest iteration, the first stage unpacks a second stage to disk without making network connections to remote hosts as it did previously. It writes the second-stage JScript under a legitimate folder in APPDATA\Roaming. The first stage also creates a scheduled task for persistence using COM or similar functionality; previous versions used PowerShell commands to create the task. The first stage ends by appending around 40MB of extraneous text to the script to hinder malware analysis.
The second stage executes with cscript.exe, spawning PowerShell while passing a script in for execution. PowerShell conducts host discovery, gathering details to report for command and control (C2) purposes. PowerShell then downloads and executes additional payloads. At this point, Gootloader resumes its traditional execution flow, deobfuscating follow-on payloads from the Windows Registry and loading them using System.Reflection classes in PowerShell.
These new TTPs can make it more challenging for defenders to quickly detect Gootloader, potentially allowing the adversary to remain undetected for longer periods of time. However, there are still detection opportunities available.
Detection opportunity: wscript launching cscript which executes PowerShell
The following pseudo-detection analytic identifies wscript launching cscript which executes PowerShell. The malicious parent wscript process will typically be spawned from a scheduled task. This sequence has been observed when malware, including Gootloader, uses wscript to execute files such as malicious .js files. Legitimate applications can use this chain of processes as well, so additional investigation may be needed.
parent_process == (wscript.exe)
&&
process == (cscript)
&&
child_process == (powershell)