Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for January 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description: Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬆ 2* | Threat name: | Threat description: Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| Last month's rank: ⬆ 2* | Threat name: | Threat description: Modular banking trojan that evolved into a malware dropper used to gain initial access, conduct host discovery, steal sensitive information, and deliver additional malicious payloads |
| Last month's rank: ⬆ 2* | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬇ 5* | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 5* | Threat name: | Threat description: Dropper/downloader, often distributed through search engine redirects |
| Last month's rank: ⬇ 7* | Threat name: | Threat description: Open source tool used to identify attack paths and relationships in Active Directory |
| Last month's rank: ⬆ 7* | Threat name: CrackMapExec | Threat description: Post-exploitation tool used to audit and assess security in Active Directory environments, leverages Impacket and PowerSploit |
| Last month's rank: ⬇ 7* | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 7* | Threat name: Metasploit framework | Threat description: Penetration testing framework used to probe systematic vulnerabilities on networks and servers and conduct post-exploitation activity on compromised hosts |
| Last month's rank: ⬆ 7* | Threat name: NetSupport Manager | Threat description: Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
SocGholish kicks off 2023 in the top spot of our trending threat list, its first time at number 1 since March 2022. SocGholish is no stranger to our top 10, but this jump represents a significant increase in SocGholish activity compared to the latter half of 2022. Other researchers also reported seeing a January spike in SocGholish activity. This is likely due to several factors, including expanding SocGholish infrastructure and large-scale campaigns taking place at the end of 2022 and carrying into 2023.
While SocGholish was more active, The overall threat volume we observed was down in January 2023 compared to other months, which is not unexpected. January is often a quieter month for malware due to various factors, including the holiday season. The reduced threat volume may explain why several threats that are not often in our top 10, including CrackMapExec and NetSupport Manager, made the list in January.
IcedID back in the top 10 for the first time since 2021
IcedID tied with Raspberry Robin for the number 2 spot in January 2023, which is the first time IcedID has cracked Red Canary’s top 10 since April 2021. IcedID is a trojan used to steal sensitive information by creating a proxy that intercepts the victim’s browsing traffic. It has been leveraged by adversaries as a primary payload, as well as a secondary payload dropped by other malware families like Emotet and Qbot. This means we sometimes see and detect IcedID directly, and sometimes we see and detect the IcedID delivery vehicles chosen by adversaries. For example, in November 2022 Emotet ranked fifth in our top 10 list due to a large-scale Emotet campaign that was dropping IcedID as a secondary payload. Since Red Canary detected Emotet before it could deploy IcedID, IcedID appeared to be less common than it actually was at the time.
Some additional observations on recent IcedID activity:
- IcedID distributors made a significant change in their methodology at the end of 2022, shifting from more traditional phishing emails to search engine optimization (SEO) poisoning and malvertising.
- In mid-January a new wave of IcedID activity began after a holiday season hiatus.
- IcedID is currently being leveraged as a primary payload as opposed to a secondary payload.
IcedID can deliver additional malicious payloads, including ransomware. If IcedID is in your environment, it may be helpful to isolate the victim endpoint while you investigate. As you investigate the infected system, take care to delete not only malicious files but any scheduled tasks IcedID may have created to maintain persistence.
Detection opportunity: Scheduled task persistence from the roaming folder with no command-line arguments
The following pseudo-detection analytic looks for scheduled tasks executing from the Users folder. Tasks executing with no command-line arguments are more likely to be malicious. To reduce noise, you will likely need to create exceptions for any approved applications in your environment that have this behavior.
process == (taskeng, svchost)
&&
process_path_includes == (users, appdata\roaming)
&&
has_empty_command_line
OneNote used to deliver malicious attachments
In January 2023, Red Canary and other security researchers began to see adversaries leveraging OneNote attachments to deliver several different malware families, including AsyncRAT, Quasar RAT, RedLine, and Qbot.
Last year, after Microsoft started blocking macros by default, threat actors began using container files like disk images (.iso) and compressed archives like .zip files to deliver their malicious payloads. In late 2022, Microsoft and 7-Zip issued security updates making those file types harder for adversaries to use successfully. The recent migration to OneNote as a delivery vehicle may be related to those security updates.
In January 2023 we directly observed RedLine and an ongoing Qbot campaign using OneNote attachments in their phishing emails. A frequent intrusion flow we have observed is as follows:
- The threat actor sends an email, sometimes with a theme related to business, such as invoices or taxes.
- The phishing email has a malicious
.onefile attached; when opened, the OneNote document prompts the user to interact again to view/open the file. - User interaction opens and executes an HTML Application file (
.hta), a Batch script file (.bat), or PowerShell script file (.ps1). - These scripts execute commands that download additional malicious payloads.
OneNote continues to be leveraged by adversaries in February to deliver Qbot, IcedID, and more.
There are a number of detection opportunities in this attack path, including analytics that detect malicious script activity and analytics for the delivered payloads, but it’s ideal to detect the initial suspicious OneNote activity before the scripts or payloads execute.
Detection opportunity: OneNote spawning suspicious child processes
The following pseudo-detection analytic identifies OneNote as a parent process for suspicious child processes. This is not a new type of analytic; historically they have been useful for detecting suspicious Excel child processes. The same type of logic can be leveraged to detect suspicious OneNote activity. This pseudo-analytic would need to be updated as adversaries change which processes they start with OneNote, so an alternative option would be to detect any child processes spawned from Office applications.
parent_process == (onenote.exe)
&&
process == (cmd)