⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
In this month’s top 10 most prevalent threats, Impacket and Mimikatz held on to their spots at number 1 and 2 respectively. Several of our other usual suspects carried over from last month to make an appearance, including Yellow Cockatoo, which moved up from 4th to tie for 3rd with our newcomer Denim Drongo. Charcoal Stork and Scarlet Goldfinch increased in placement, both jumping from a shared tie for 9th to tie each other for 5th.
We have two newcomers to the top 10: Denim Drongo—a Red Canary cluster making its public debut—and FIN7, a prolific financially motivated threat group.
Introducing Denim Drongo
Denim Drongo is Red Canary’s name for an activity cluster we first saw in late 2022 and have been tracking since. This is the first time it has made our top 10 threat list. This cluster delivers a modified version of legitimate accounting software and attempts to extort users into paying fees to “fix” errors in the illegitimate installation.
Denim Drongo’s initial access occurs via an ad masquerading as a legitimate QuickBooks installer. The first stage of the installer typically has a name like
QuickBooks Setup.msi. The exact filename may vary, but Denim Drongo has consistently used Intuit QuickBooks as a theme. After the MSI executes additional binaries are dropped, often with a name like
QuickBooksDownloder.exe—note the missing
a from the word
Downloader in the filename—and
IntuitDownloadManager.exe. The legitimate installation path for QuickBooks is
C:\Users\Public\Public Documents\Intuit\QuickBooks\. Denim Drongo will sometimes use that directory, but has also been seen using subfolders of either
C:\Users\Public\Documents\ or C:\Users\Public\Libraries. The Denim Drongo binaries may make network connections to domain names masquerading as an Intuit domain, for example
lntuitquickbooks[.]com—the first letter of this domain is an
l, not an
When executed, the malware mimics legitimate installation steps, including a prompt requesting user contact information like their name, email, and phone number. Once installed, the malware allows victims to use the illegitimate version of QuickBooks for a period of time, but then will execute a command to kill all running QuickBooks processes, after which it pops up an error message prompting the user to call a fake Intuit Technical Support number. According to a thread on Reddit, if you call the number, the scammers demand $800-$2,000 to fix the error.
FIN7 MSIXs it up
FIN7 is a financially motivated threat group that has been active since at least 2015. Some teams use the name FIN7 interchangeably with Carbanak Group, since both use Carbanak malware, but here at Red Canary we track them separately. FIN7 has used a number of TTPs and tools over the years, including Carbanak malware, Cobalt Strike, and more. FIN7 activity has been observed prior to the deployment of ransomware as well as data theft and extortion attacks, though researchers have not definitively linked the group to these activities.
The Red Canary Intelligence and Threat Hunting teams recently did a deep dive into threats leveraging MSIX files to deliver malware, and one of those threats is FIN7. The cluster of activity we’ve observed uses the
MSIX-PackageSupportFramework tool to create malicious MSIX files with embedded PowerShell scripts. The scripts are designed to execute malware via process injection, malware such as POWERTRASH, Carbanak, and NetSupport Manager—which not coincidentally, made our top 10 list this month, both as part of this activity cluster and as a payload delivered by Scarlet Goldfinch.
Red Canary published a blog post on January 12, 2024 sharing our MSIX investigation findings, including details on FIN7’s use of MSIX files and the other clusters we observed. We share a number of detection opportunities and IOCs, including the one below that looks for NetSupport running in unexpected locations.
Detection opportunity: NetSupport running from unexpected directory
Under normal circumstances, you should expect NetSupport Manager to run from the
program files directory. If you find NetSupport Manager—often identifiable as
client32.exe—running outside the
program files directory, particularly from the
programdata directory, then it’s worth investigating. In instances where an adversary like FIN7 delivered NetSupport Manager as a follow-on payload, it is frequently observed running from a suspicious location like
programdata or a user’s directory.
process == (