Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for December 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ➡ 1 | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ➡ 2 | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 3* | Threat name: Denim Drongo | Threat description: Group that leverages installers masquerading as QuickBooks in a scam that attempts to defraud users via fake technical support |
| Last month's rank: ⬆ 3* | Threat name: | Threat description: Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
| Last month's rank: ⬆ 5* | Threat name: | Threat description: Suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper |
| Last month's rank: ⬆ 5* | Threat name: | Threat description: Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Last month's rank: ⬆ 7* | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬇ 7* | Threat name: | Threat description: Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬆ 9* | Threat name: FIN7 | Threat description: Financially motivated threat group whose activity has been observed prior to the deployment of ransomware |
| Last month's rank: ⬇ 9* | Threat name: NetSupport Manager | Threat description: Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Last month's rank: ➡ 9* | Threat name: | Threat description: Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
In this month’s top 10 most prevalent threats, Impacket and Mimikatz held on to their spots at number 1 and 2 respectively. Several of our other usual suspects carried over from last month to make an appearance, including Yellow Cockatoo, which moved up from 4th to tie for 3rd with our newcomer Denim Drongo. Charcoal Stork and Scarlet Goldfinch increased in placement, both jumping from a shared tie for 9th to tie each other for 5th.
We have two newcomers to the top 10: Denim Drongo—a Red Canary cluster making its public debut—and FIN7, a prolific financially motivated threat group.
Introducing Denim Drongo
Denim Drongo is Red Canary’s name for an activity cluster we first saw in late 2022 and have been tracking since. This is the first time it has made our top 10 threat list. This cluster delivers a modified version of legitimate accounting software and attempts to extort users into paying fees to “fix” errors in the illegitimate installation.
Denim Drongo’s initial access occurs via an ad masquerading as a legitimate QuickBooks installer. The first stage of the installer typically has a name like QuickBooks Setup.msi. The exact filename may vary, but Denim Drongo has consistently used Intuit QuickBooks as a theme. After the MSI executes additional binaries are dropped, often with a name like QuickBooksDownloder.exe—note the missing a from the word Downloader in the filename—and IntuitDownloadManager.exe. The legitimate installation path for QuickBooks is C:\Users\Public\Public Documents\Intuit\QuickBooks\. Denim Drongo will sometimes use that directory, but has also been seen using subfolders of either C:\Users\Public\Documents\ or C:\Users\Public\Libraries. The Denim Drongo binaries may make network connections to domain names masquerading as an Intuit domain, for example lntuitquickbooks[.]com—the first letter of this domain is an l, not an i.
When executed, the malware mimics legitimate installation steps, including a prompt requesting user contact information like their name, email, and phone number. Once installed, the malware allows victims to use the illegitimate version of QuickBooks for a period of time, but then will execute a command to kill all running QuickBooks processes, after which it pops up an error message prompting the user to call a fake Intuit Technical Support number. According to a thread on Reddit, if you call the number, the scammers demand $800-$2,000 to fix the error.
FIN7 MSIXs it up
FIN7 is a financially motivated threat group that has been active since at least 2015. Some teams use the name FIN7 interchangeably with Carbanak Group, since both use Carbanak malware, but here at Red Canary we track them separately. FIN7 has used a number of TTPs and tools over the years, including Carbanak malware, Cobalt Strike, and more. FIN7 activity has been observed prior to the deployment of ransomware as well as data theft and extortion attacks, though researchers have not definitively linked the group to these activities.
The Red Canary Intelligence and Threat Hunting teams recently did a deep dive into threats leveraging MSIX files to deliver malware, and one of those threats is FIN7. The cluster of activity we’ve observed uses the MSIX-PackageSupportFramework tool to create malicious MSIX files with embedded PowerShell scripts. The scripts are designed to execute malware via process injection, malware such as POWERTRASH, Carbanak, and NetSupport Manager—which not coincidentally, made our top 10 list this month, both as part of this activity cluster and as a payload delivered by Scarlet Goldfinch.
Red Canary published a blog post on January 12, 2024 sharing our MSIX investigation findings, including details on FIN7’s use of MSIX files and the other clusters we observed. We share a number of detection opportunities and IOCs, including the one below that looks for NetSupport running in unexpected locations.
Detection opportunity: NetSupport running from unexpected directory
Under normal circumstances, you should expect NetSupport Manager to run from the program files directory. If you find NetSupport Manager—often identifiable as client32.exe—running outside the program files directory, particularly from the programdata directory, then it’s worth investigating. In instances where an adversary like FIN7 delivered NetSupport Manager as a follow-on payload, it is frequently observed running from a suspicious location like programdata or a user’s directory.
process == (client32.exe)
&&
path_includes (programdata)