Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: June 2022

Red Canary detected an increase of overall threat volume, with Impacket and Mimikatz appearing in customer environments most often.

The Red Canary Team
Originally published . Last modified .

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.

Highlights

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. Here’s how the numbers shook out for May 2022:

May rankThreat nameThreat Description
May rank:

1*

Threat name:Threat Description :

Collection of Python classes to construct/manipulate network protocols

May rank:

1*

Threat name:Threat Description :

Open source tool that dumps credentials using various techniques

May rank:

3

Threat name:Threat Description :

Dropper/downloader, often distributed through search engine redirects

May rank:

4

Threat name:Threat Description :

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives

May rank:

5*

Threat name:Threat Description :

Open source tool used to identify attack paths and relationships in Active Directory

May rank:

5*

Threat name:Threat Description :

Penetration testing tool that integrates functionality from multiple offensive security projects and leverages a native scripting language

May rank:

5*

Threat name:Threat Description :

Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL

May rank:

8

Threat name:

Metasploit

Threat Description :

Penetration testing framework with a robust set of tools for exploiting vulnerabilities and executing code on a remote target machine

May rank:

9*

Threat name:Threat Description :

Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages

May rank:

9*

Threat name:Threat Description :

Malware family associated with ad fraud activity through the distribution of adware applications

May rank:

9*

Threat name:Threat Description :

Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

Overall threat volume increased slightly in May, with 13.3 percent of Red Canary customers encountering at least one named threat (up from 12.7% in April, but still below March’s 14.3% mark). Despite some typical shuffling, the prevalent threats this month were all within a few spots of last month’s top 10. Notably, after diving a little deeper into the differences between Gootkit and Gootloader, we’ve started to distinguish the more commonly observed Gootloader activity from the less common Gootkit payload. We previously tracked all of this activity under Gootkit, and the historical numbers for Gootloader referenced above reflect both Gootloader and Gootkit activity.

Blog posts published this month 

In May, Red Canary published research on two threats: Raspberry Robin and ChromeLoader. In case you missed them, we’ve provided summaries here as well as links to the full articles.

Raspberry Robin

Raspberry Robin is Red Canary’s name for a cluster of USB worm activity that we’ve been tracking since September 2021. If that name sounds familiar, it might be because we’ve shared information about Raspberry Robin with you in previous Intelligence Insights as it climbed the charts. In early May, we also published a blog on Raspberry Robin with our research on this threat.

Raspberry Robin appears to spread via infected USB drives. When the infected drive is plugged into a system, a shortcut (LNK file) masquerading as a legitimate folder is executed. In its first phase of activity, Raspberry Robin uses msiexec.exe to reach out to a malicious IP address for command and control (C2) communication.


Detection opportunity: msiexec.exe downloading and executing packages

To detect suspicious use of msiexec.exe by Raspberry Robin or other threats, it’s essential to take a look at the command line and the URL. Detecting msiexec.exe making outbound network connections to download and install packages in the command line interface will give you the opportunity to examine the activity and determine if it’s malicious or not.

process == (msiexec)
&&
process_command_line_includes == (http:, https:)
&&
process_command_line_includes == (/q, -q)


Over the past few weeks, we’ve heard from a number of security professionals who have spotted Raspberry Robin in their environments. We continue to monitor, track, and research Raspberry Robin activity and incorporate new information as necessary.

ChromeLoader

ChromeLoader is a pervasive and persistent browser hijacker that modifies its victims’ browser settings and redirects user traffic to advertisement websites. This malware is introduced via an ISO file that baits users into executing it by posing as a cracked video game or pirated movie or TV show. It eventually manifests as a browser extension.

Like most suspicious browser extensions, ChromeLoader is a relatively benign threat that hijacks user search queries and redirects traffic to an advertising site. However, ChromeLoader uses PowerShell to inject itself into the browser and add a malicious extension to it, a technique we don’t see very often (and one that often goes undetected by other security tools). If applied to a higher-impact threat—such as a credential harvester or spyware—this PowerShell behavior could help malware gain an initial foothold and go undetected before performing more overtly malicious activity, like exfiltrating data from a user’s browser session.


Detection opportunity: PowerShell spawning chrome.exe containing load-extension and AppData\Local within the command line

The detection analytic looks for instances of the Chrome browser executable spawning from PowerShell with a corresponding command line that includes appdata\local as a parameter.
parent_process_name == powershell.exe
&&
process_name == chrome.exe
&&
command_line_includes (AppData\Local,load-extension)


For more details and additional opportunities to detect this pushy malvertiser, check out our May blog post.

 

Intelligence Insights: March 2024

 

The rise of Charcoal Stork

 

Intelligence Insights: February 2024

 

Intelligence Insights: January 2024

Subscribe to our blog

 
 
Back to Top