⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
SocGholish kicks off 2023 in the top spot of our trending threat list, its first time at number 1 since March 2022. SocGholish is no stranger to our top 10, but this jump represents a significant increase in SocGholish activity compared to the latter half of 2022. Other researchers also reported seeing a January spike in SocGholish activity. This is likely due to several factors, including expanding SocGholish infrastructure and large-scale campaigns taking place at the end of 2022 and carrying into 2023.
While SocGholish was more active, The overall threat volume we observed was down in January 2023 compared to other months, which is not unexpected. January is often a quieter month for malware due to various factors, including the holiday season. The reduced threat volume may explain why several threats that are not often in our top 10, including CrackMapExec and NetSupport Manager, made the list in January.
IcedID back in the top 10 for the first time since 2021
IcedID tied with Raspberry Robin for the number 2 spot in January 2023, which is the first time IcedID has cracked Red Canary’s top 10 since April 2021. IcedID is a trojan used to steal sensitive information by creating a proxy that intercepts the victim’s browsing traffic. It has been leveraged by adversaries as a primary payload, as well as a secondary payload dropped by other malware families like Emotet and Qbot. This means we sometimes see and detect IcedID directly, and sometimes we see and detect the IcedID delivery vehicles chosen by adversaries. For example, in November 2022 Emotet ranked fifth in our top 10 list due to a large-scale Emotet campaign that was dropping IcedID as a secondary payload. Since Red Canary detected Emotet before it could deploy IcedID, IcedID appeared to be less common than it actually was at the time.
Some additional observations on recent IcedID activity:
- IcedID distributors made a significant change in their methodology at the end of 2022, shifting from more traditional phishing emails to search engine optimization (SEO) poisoning and malvertising.
- In mid-January a new wave of IcedID activity began after a holiday season hiatus.
- IcedID is currently being leveraged as a primary payload as opposed to a secondary payload.
IcedID can deliver additional malicious payloads, including ransomware. If IcedID is in your environment, it may be helpful to isolate the victim endpoint while you investigate. As you investigate the infected system, take care to delete not only malicious files but any scheduled tasks IcedID may have created to maintain persistence.
Detection opportunity: Scheduled task persistence from the roaming folder with no command-line arguments
The following pseudo-detection analytic looks for scheduled tasks executing from the Users folder. Tasks executing with no command-line arguments are more likely to be malicious. To reduce noise, you will likely need to create exceptions for any approved applications in your environment that have this behavior.
process == (
process_path_includes == (
OneNote used to deliver malicious attachments
In January 2023, Red Canary and other security researchers began to see adversaries leveraging OneNote attachments to deliver several different malware families, including AsyncRAT, Quasar RAT, RedLine, and Qbot.
Last year, after Microsoft started blocking macros by default, threat actors began using container files like disk images (
.iso) and compressed archives like
.zip files to deliver their malicious payloads. In late 2022, Microsoft and 7-Zip issued security updates making those file types harder for adversaries to use successfully. The recent migration to OneNote as a delivery vehicle may be related to those security updates.
In January 2023 we directly observed RedLine and an ongoing Qbot campaign using OneNote attachments in their phishing emails. A frequent intrusion flow we have observed is as follows:
- The threat actor sends an email, sometimes with a theme related to business, such as invoices or taxes.
- The phishing email has a malicious
.one file attached; when opened, the OneNote document prompts the user to interact again to view/open the file.
- User interaction opens and executes an HTML Application file (
.hta), a Batch script file (
.bat), or PowerShell script file (
- These scripts execute commands that download additional malicious payloads.
OneNote continues to be leveraged by adversaries in February to deliver Qbot, IcedID, and more.
There are a number of detection opportunities in this attack path, including analytics that detect malicious script activity and analytics for the delivered payloads, but it’s ideal to detect the initial suspicious OneNote activity before the scripts or payloads execute.
Detection opportunity: OneNote spawning suspicious child processes
The following pseudo-detection analytic identifies OneNote as a parent process for suspicious child processes. This is not a new type of analytic; historically they have been useful for detecting suspicious Excel child processes. The same type of logic can be leveraged to detect suspicious OneNote activity. This pseudo-analytic would need to be updated as adversaries change which processes they start with OneNote, so an alternative option would be to detect any child processes spawned from Office applications.
parent_process == (
process == (