Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for February 2024:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ➡ 1 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 2 | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬇ 3 | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬆ 4* | Threat name: | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Last month's rank: ⬆ 4* | Threat name: AsyncRAT | Threat description : Open source remote access tool with multiple functions including keylogging and remote desktop control |
| Last month's rank: ⬆ 6* | Threat name: | Threat description : Suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper |
| Last month's rank: ⬇ 6* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬇ 6* | Threat name: | Threat description : JScript dropper/downloader that typically poses as a document containing an "agreement,” often distributed through search engine redirects |
| Last month's rank: ⬆ 6* | Threat name: | Threat description : Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging |
| Last month's rank: ⬆ 6* | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
| Last month's rank: ⬆ 6* | Threat name: Scarlet Goldfinch | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Impacket remained at number 1 on our top 10 most prevalent threat list for the fourth month in a row. Atomic Stealer made its second-ever appearance in our top 10, tying for 4th with AsyncRAT. PlugX landed in a 6-way tie for 6th place, its first time in the top 10 since May 2023. Yellow Cockatoo, after an active last half of 2023, entered a period of low activity and fell out of the rankings. It’s worth noting, however, that Red Canary and other researchers saw it resume activity in early March.
President’s Day special: 2 for 1 ScreenConnect vulnerabilities
On February 19, ConnectWise released an advisory regarding two critical vulnerabilities in its ScreenConnect remote monitoring and management software. The vulnerabilities—CVE-2024-1709 & CVE-2024-1708—affect only self-hosted or on-premises ScreenConnect servers prior to and including version 23.9.7. Vulnerability announcements can be stressful for organizations braced for a wave of sudden malicious activity. That said, follow-on activity typically follows well-trod post-exploitation behavioral paths, and what we saw in February is a good example.
Red Canary observed active exploitation of unpatched ScreenConnect servers in multiple customer environments in the early morning hours of February 21. We saw ScreenConnect exploitation leveraged to gain initial access, followed by adversaries deploying Cobalt Strike or legitimate remote management and monitoring (RMM) tools for lateral movement. Other researchers saw similar post-exploitation activity, with use of Cobalt Strike a recurring theme.
If not already done, organizations leveraging ScreenConnect need to update to version 23.9.8 as soon as possible. Additionally, organizations that allow third-party vendors, such as a managed service provider (MSP), should reach out to ensure upstream organizations have patched their servers.
Although stopping adversaries at the perimeter is ideal, defense-in-depth and rapid detection of frequently used post-exploitation TTPs are key to discovering successful vulnerability exploitation as quickly as possible. One example of enduring TTP use is adversaries using certutil.exe to download payloads during exploitation. We first shared this detection opportunity in our 2022 TDR, and the same behavior was also observed in the recent ScreenConnect vulnerability exploitation activity.
Detection opportunity: certutil.exe downloading payloads
This pseudo-detection analytic identifies certutil.exe downloading payloads from remote resources. Adversaries, like those involved in the recent ScreenConnect vulnerability exploitation, often use certutil.exe to bypass security controls to download payloads, since it is included with all Windows systems by default. Under normal circumstances, certutil should not download files from the internet.
process == (certutil.exe)
&&
command_line_includes == (urlcache, -f, /f)
A taxing season for phishing targets
Tax season is upon us, which means it’s also the season for tax-themed phishing lures. In late winter and early spring, adversaries take advantage of users sending and receiving atypical tax and finance-related email attachments. Already this year we’ve seen tax-themed phishing attachments; for example, one named MyFdTx2023.zip (sha256: df4c4fcee261cb2822a27aa6cd78f07e63ace68206eb9515ac4b75a387bc11b6) delivered GuLoader followed by Remcos, the same combination we observed in late February 2023.
Adversaries don’t confine this seasonal activity to just the United States. Users in Mexico, whose tax season ends on April 30, are also targets of malicious tax-themed phishing activity. In one case we saw a malicious attachment named citatoriosat_.zip\sat.url spawn wscript.exe with the command line "\\45.61.136[.]32\x0d\SAT.jse" followed by a TCP connection to 149.248.77[.]62 (zlvsiexj6d.d3vilsgg[.]xyz). This chain of activity led to Fenix, a botnet with the ultimate goal of credential and information theft. The “SAT” in the filename likely refers to Servicio de Administración Tributaria, Mexico’s equivalent to the IRS.
Additionally we’ve seen more Denim Drongo, which masquerades as a legitimate QuickBooks installation, recently downloaded by users for tax purposes. Other researchers have noted an increase in tax-themed phishing lures since the beginning of 2024, delivering payloads like BumbleBee and TimbreStealer.
Users should be wary of unexpected tax-related emails with attachments and monitor the IRS Newsroom for details on current campaigns. Organizations may find it particularly useful to educate users on the specific risk of malware delivery via fake tax and financial documents this time of year.