Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Dropper/downloader, often distributed through search engine redirects
Last month's rank:
Crypter, typically used to package and deliver a remote access tool like AsyncRAT
⬆ = trending up from previous month ⬇= trending down from previous month ➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Our top 10 changed a lot between last month and this month. Several prominent threats fell completely off the list, most notably Qbot, Qbot delivery affiliates TA570 and TA577, and Raspberry Robin. Yellow Cockatoo returned to the top 10 to claim the number 1 spot, its first appearance in the top 10 since August 2022. Yellow Cockatoo, which overlaps with what researchers call the Solarmarker or Jupyter infostealer, reappeared in late May following a hiatus. Its activity continued to increase over the course of June.
Stealc, our number 2 threat and a newcomer to the top 10, was first identified in early 2023. Red Canary saw a wave of Stealc activity in mid-June that affected multiple customer environments. You can read more about Stealc below.
Our two other newcomers to the top 10 this month are AsyncRAT in a tie for 7th and 3LOSH in a tie for 9th. These two threats are related; 3LOSH is a crypter frequently used to package and deliver AsyncRAT, an open-source remote access tool used by a number of adversaries. We observed a phishing campaign distributing 3LOSH dropping AsyncRAT as its payload in the latter half of June.
Thou shall not Stealc
In the last half of June, Red Canary observed a surge of Stealc activity in our customer environments. Stealc is an information stealer with marked similarities to other stealers like RedLine, Raccoon, and Vidar. According to the researchers who identified Stealc, it is highly customizable and can target many types of sensitive information including browser data, browser extensions, cryptocurrency wallets, and details from additional applications like email clients.
We saw evidence of search engine optimization (SEO) poisoning being used as the delivery vehicle. SEO poisoning is an initial access technique that tricks users into visiting malicious websites masquerading as legitimate sites returned in search results. After navigating to the site, victims downloaded a Stealc executable with a misleading filename, designed to lure users into thinking they were downloading a software update. The Stealc executable reached out to command and control (C2) IP addresses and executed a clean-up command, which gives us a detection opportunity.
The Red Canary Intelligence Team uses different methodologies to conduct analysis, including the tool Synapse from the Vertex Project. As we examined a graph view of the Stealc activity, we were able to connect the disparate IP addresses and malware we observed on different victims based on overlap in one IP address, 77.105.146[.]191. We wanted to share this as an example of how link analysis can help identify connections.
One cluster of Stealc activity observed by Red Canary in June 2023; white nodes represent victim systems
Detection opportunity: cmd.exe command to delete initial installation files
The following pseudo-detection analytic looks for a cmd.exe command deleting files after an executable completes installation, which was one behavior observed from Stealc. After successfully achieving persistence on the endpoint, some types of malware like stealers will delete the initial install files. Legitimate installers or other scripts might use this activity to cleanup temporary files, so look for other signs of post-exploitation activity to confirm or deny malicious behavior.
process == (cmd.exe)
command_line_includes_all == (timeout, del, /c, &)
* is a placeholder for a number that pauses the command processor for the specified number of seconds
The “nOAuth” Azure AD application misconfiguration vulnerable to account takeover
In June, researchers from security firm Descope shared their discovery of a handful of widely used Azure Active Directory (AD) applications that improperly validate a user’s identity during authentication. This improper validation is referred to as “nOAuth.” The undisclosed applications insecurely validate whether a token is properly assigned to the correct user. A user from one Azure AD tenant could perform an account takeover of any user of a misconfigured application, whereby an adversary changes their email address in their home tenant to match the targeted user’s account.
When you log into an application using Azure AD, the system adds some information about you to a digital token. This token is like a temporary ID card that proves who you are to the application. However, some of this information can be changed, including your email address. For example, if an application is only checking the email address in the token to verify Alice’s identity, then Bob could change his email address to match Alice’s, and the system would think that Bob is actually Alice.
Therefore, if an adversary knows a user’s email address and knows that the user has an account with one of these faulty applications, the adversary could change their email address in Azure AD to match that user’s. When the adversary logs in, the faulty application would give them full access to that victim user’s account. Many applications are affected by this vulnerability. For example, Grafana announced a CRITICAL 9.4 CVSS score for CVE-2023-3128 related to this vulnerability.
Red Canary recommends auditing your Azure AD environment for unusual or malicious OAuth applications as well as overly permissive applications. If any are identified, revoke the OAuth application’s access. We also recommend monitoring your security products such as Azure AD Identity Protection for alerts relating to unfamiliar logons or impossible travel, as these will likely be generated during successful exploitation of this vulnerability.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.