Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for May 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 2 | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 3 | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 4 | Threat name: | Threat description: Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages |
| Last month's rank: ⬆ 5* | Threat name: TA570 | Threat description: Malware delivery affiliate named by Proofpoint that commonly conducts Qbot campaigns, using the names of U.S. presidents in its malware configuration campaign identifiers |
| Last month's rank: ⬆ 5* | Threat name: | Threat description: Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬇ 7* | Threat name: | Threat description: Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| Last month's rank: ⬇ 7* | Threat name: TA577 | Threat description: Malware delivery affiliate named by Proofpoint that commonly conducts Qbot and IcedID campaigns, using letter pairs like "TR" and "BB" in its malware configuration campaign identifiers |
| Last month's rank: ⬆ 9* | Threat name: Ducktail | Threat description: Stealer designed to steal browser data from Brave, Edge, Chrome, and Firefox, specifically targeting active authentic Facebook sessions with the goal of hijacking Facebook business accounts if the victim has access |
| Last month's rank: ⬇ 9* | Threat name: Ippedo | Threat description: USB worm that can include a function to download and execute arbitrary binaries |
| Last month's rank: ⬆ 9* | Threat name: NetSupport Manager | Threat description: Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
This month’s top two threats are Impacket at number one and Mimikatz at number two. This is likely due to malicious use combined with unconfirmed testing activity in May, which results in a higher volume than other threats we don’t see used in testing. Qbot activity increased to claim spot number four while its known delivery affiliate, TA570, jumped back into the top 10 to tie at number five with SocGholish. Raspberry Robin fell from number two to seven, a drop that is due to the increased volume of other higher-ranked threats as opposed to a dramatic decrease in Raspberry Robin activity. Ducktail, a browser data stealer, is a newcomer to our top 10 list and landed in a three-way tie for spot number nine with Ippedo and NetSupport Manager.
Ducktail and cover
Ducktail is an information stealer observed in the wild since at least early 2021. Here at Red Canary we saw increased activity in May 2023, enough for Ducktail to make its first appearance in our top 10 this month. The adversaries behind Ducktail have multiple goals; one is to hijack access to LinkedIn or Facebook business accounts, and another is to steal sensitive information from victim systems. Accordingly, the malware includes design choices and capabilities to facilitate that goal.
Ducktail operators target victims that might have Facebook business account access. Researchers reported in May that many recent targeted victims worked in HR and marketing departments. The adversaries send malicious links to potential victims via social media and messaging applications like LinkedIn and WhatsApp. They use social engineering to trick victims into interacting with the malicious links that download and execute Ducktail malware from file-sharing platforms like Dropbox or iCloud. The initial executable filename is often a string of words relevant to the targeted victim. One example we’ve seen is Calculate_Cumulative_Salary_Based_On_A_Monthly.exe. WithSecure shared another example: new project l'oréal budget business plan.exe.
Once downloaded and executed, Ducktail is designed to steal browser cookies and browsing data from Brave, Edge, Chrome, and Firefox. It can also take screenshots of the victim system. Ducktail uses Telegram to send the stolen data and information back to the operators. If Ducktail finds active Facebook session cookies, it will search for and steal additional information related to the Facebook account. If the Facebook account is associated with a business, the adversaries will attempt to give themselves administrative access in order to hijack the account.
As always, security professionals should educate users to be wary of opening links or downloading files from unknown sources. Malicious links can be shared using social media and messaging applications, not only via the better-known avenue of phishing emails. One way Ducktail gains access to browser information and cookies is by opening the victim’s browser in headless mode, meaning the browser runs in the background without a visible GUI. This parameter gives us a detection opportunity.
Detection opportunity: Chromium-based headless browsers being used to download files
The following pseudo-detection analytic looks for Chromium-based browsers opening with the headless parameter and subsequently downloading files from a remote location. While developers may use headless browsers to download files, it is an unusual way to do so. This analytic can help identify Ducktail as well as other suspicious activity.
process == (chrome.exe, msedge.exe)
&&
command_line_includes == (--headless, -–dump-dom, http)