Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. Here’s how the numbers shook out for June 2022:
| June rank | Threat name | Threat description |
|---|---|---|
| June rank: ⬆ 1 | Threat name: | Threat description : Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages |
| June rank: ⬇ 2 | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| June rank: ⬇ 3 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| June rank: ⬆ 4 | Threat name: | Threat description : Open source tool used to identify attack paths and relationships in Active Directory |
| June rank: ⬆ 5* | Threat name: | Threat description : Modular banking trojan that primarily functions as a downloader or dropper of other malware; focused on stealing user data and banking credentials; typically distributed through email |
| June rank: ⬇ 5* | Threat name: | Threat description : Dropper/downloader, often distributed through search engine redirects |
| June rank: ⬇ 7 | Threat name: | Threat description : Penetration testing tool that integrates functionality from multiple offensive security projects; can extend its functionality with a native scripting language |
| June rank: ⬆ 8* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| June rank: ⬇ 8* | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| June rank: ⬆ 8* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
June saw some big changes in our top ten prevalent threats for the month. Qbot jumped to the number one spot after a major resurgence in activity. Another big mover this month was Emotet, which climbed from one of our top 20 threats in May to a tie for 5th place in June. SocGholish also moved up a few spots for a place in the top ten, while Yellow Cockatoo slipped off the list, continuing the seesaw pattern between SocGholish and Yellow Cockatoo that we’ve seen before (though we aren’t aware of any causal relationship between these two threats).
Red Canary Chatter on the Intel Team
We spend a lot of time talking to each other on this team. Here are some of our hot topics on Slack this June!
As you can see in the trends table, Qbot returned in a big way. Qbot operators were making small changes to their malicious loaders almost every day during the first half of June. Our detection analytics quickly catch Qbot behavior, but it’s still Red Canary’s goal to ideally detect threats like Qbot before they have an opportunity to execute at all. There was a ton of great work across teams this month to make sure Qbot was seen and stopped as quickly as possible in spite of the many changes. The Red Canary Intel team uses both internal detections and OSINT from researchers to help us stay up to date on rapidly changing threats.
BumbleBee is all the buzz
On June 28, Red Canary tweeted about BumbleBee. BumbleBee is a loader used by adversaries to deliver one of several payloads, including Cobalt Strike, Meterpreter (a component of Metasploit), or Sliver, an adversary emulation tool that adversaries started leveraging in October 2021.
BumbleBee is known for rapidly changing its TTPs, and in June we observed BumbleBee DLLs being delivered via IMG attachments. An LNK file within the IMG leveraged odbcconf.exe (the Windows Open Database Connectivity utility) instead of rundll32.exe to execute the BumbleBee DLL. While odbcconf.exe is a known “living off the land” binary that can execute DLL files, it’s not commonly seen in the wild. Prior to this, Red Canary has only seen this tradecraft used by red teams and Raspberry Robin.
Detection opportunity: odbcconf.exe loading DLLs
The following pseudo-detection analytic looks for odbcconf.exe loading a configuration file or DLL. The /A flag specifies an action, /F uses a response file, and /S runs in silent mode. odbcconf.exe running rgsvr actions in silent mode could indicate misuse.
process == odbcconf.exe
&&
command_line_includes == regsvr
&&
command_line_includes (/f || -f || /a || -a || /s || -s)