Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for February 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description: Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages |
| Last month's rank: ⬆ 2 | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 3 | Threat name: TA577 | Threat description: Malware delivery affiliate named by Proofpoint that commonly conducts Qbot and IcedID campaigns, using letter pairs like "TR" and "BB" in its malware configuration campaign identifiers |
| Last month's rank: ⬆ 4 | Threat name: Dock2Master | Threat description: macOS ad fraud activity that has led to downloads of other macOS malware such as Shlayer |
| Last month's rank: ⬇ 5 | Threat name: | Threat description: Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| Last month's rank: ⬆ 6* | Threat name: TA570 | Threat description: Malware delivery affiliate named by Proofpoint that commonly conducts Qbot campaigns, using the names of U.S. presidents in its malware configuration campaign identifiers |
| Last month's rank: ⬇ 6* | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 6* | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 9 | Threat name: Danabot | Threat description: Modular trojan used by multiple adversaries and distributed via phishing campaigns, pirated software, and Fallout Exploit Kit |
| Last month's rank: ⬇ 10* | Threat name: | Threat description: Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬇ 10* | Threat name: | Threat description: Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Qbot—ranked as last year’s number 1 threat in our newly released Threat Detection Report—also takes the number 1 spot in this month’s top 10 after a very active February. We observed Qbot being delivered by multiple affiliate groups that act as initial access brokers, TA577 and TA570 in particular. You’ll see both these threats on our top 10 list this month, with TA577 at number 3 and TA570 tied for 6 with Impacket and Gamarue.
A change in our threat tracking led to a newcomer in the top 10. Coming in at number 4, Dock2Master is a threat that we track as a precursor to Shlayer. In the past, we included it in Shlayer activity, but now we are tracking it separately since we frequently see only Dock2Master with no progression to Shlayer. Dock2Master is macOS fraud activity with a primary goal of showing ads to users or redirecting users to the Dock2Master site.
Our other newcomer to the top 10 list, coming in at number 9, is Danabot. Danabot is a modular banking trojan that saw increased use in February 2023.
Tax-themed phishing emails delivering GuLoader
On February 28, we published an insight detailing the ways adversaries take advantage of tax season to make their phishing campaigns more effective. We saw a specific example last month, with tax-themed phishing emails delivering GuLoader. GuLoader is a malicious downloader that adversaries use to distribute shellcode and deliver follow-on payloads.
In February, we saw Remcos delivered as the payload following GuLoader. Remcos is a remote access tool (RAT) that adversaries use to gain persistent remote access to a victim’s endpoint. After Remcos is successfully installed, adversaries can choose from a number of options, including surveilling the victim system, downloading additional malware, and sending host data back to a command and control (C2) server.
We encourage organizations to make users aware of the specific risk of malware delivery via fake tax and financial documents. Users should be wary of unexpected tax-related emails with attachments, especially those purporting to be from the IRS. If a user opens the phishing attachment, one way to mitigate malicious scripts is to create a Group Policy Object (GPO) to change the default behavior of commonly misused script extensions, making them behave like benign text files that open in Notepad and do not automatically execute.
For more information on this activity, including detailed guidance to create a GPO to change script behavior, see the Intelligence Insight.
Detection opportunity: wscript.exe launching PowerShell
The following detection analytic will identify a script—wscript.exe in this case—launching PowerShell to download and execute a payload. Malicious phishing attachments, including GuLoader attachments, can leverage wscript.exe to load and execute malicious PowerShell commands, ultimately downloading and executing staged payloads if not detected.
parent_process == (wscript.exe)
&&
process == (powershell.exe)
&&
command_includes (“invoke-webrequest” || “iwr”)