⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
June saw some big changes in our top ten prevalent threats for the month. Qbot jumped to the number one spot after a major resurgence in activity. Another big mover this month was Emotet, which climbed from one of our top 20 threats in May to a tie for 5th place in June. SocGholish also moved up a few spots for a place in the top ten, while Yellow Cockatoo slipped off the list, continuing the seesaw pattern between SocGholish and Yellow Cockatoo that we’ve seen before (though we aren’t aware of any causal relationship between these two threats).
Red Canary Chatter on the Intel Team
We spend a lot of time talking to each other on this team. Here are some of our hot topics on Slack this June!
As you can see in the trends table, Qbot returned in a big way. Qbot operators were making small changes to their malicious loaders almost every day during the first half of June. Our detection analytics quickly catch Qbot behavior, but it’s still Red Canary’s goal to ideally detect threats like Qbot before they have an opportunity to execute at all. There was a ton of great work across teams this month to make sure Qbot was seen and stopped as quickly as possible in spite of the many changes. The Red Canary Intel team uses both internal detections and OSINT from researchers to help us stay up to date on rapidly changing threats.
BumbleBee is all the buzz
On June 28, Red Canary tweeted about BumbleBee. BumbleBee is a loader used by adversaries to deliver one of several payloads, including Cobalt Strike, Meterpreter (a component of Metasploit), or Sliver, an adversary emulation tool that adversaries started leveraging in October 2021.
BumbleBee is known for rapidly changing its TTPs, and in June we observed BumbleBee DLLs being delivered via IMG attachments. An LNK file within the IMG leveraged
odbcconf.exe (the Windows Open Database Connectivity utility) instead of
rundll32.exe to execute the BumbleBee DLL. While
odbcconf.exe is a known “living off the land” binary that can execute DLL files, it’s not commonly seen in the wild. Prior to this, Red Canary has only seen this tradecraft used by red teams and Raspberry Robin.
odbcconf.exe loading DLLs
The following pseudo-detection analytic looks for
odbcconf.exe loading a configuration file or DLL. The
/A flag specifies an action,
/F uses a response file, and
/S runs in silent mode.
rgsvr actions in silent mode could indicate misuse.