Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages
⬆ = trending up from previous month ⬇= trending down from previous month ➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
This month’s most prevalent threat was AdSearch, its first appearance in the top 10 since September 2022. AdSearch’s recent increase in activity is due to a new campaign in April that included an updated version of the binary that delivers the malware. In some cases, AdSearch activity led directly to ChromeLoader persistence, bringing ChromeLoader to the top 10 in a tie for sixth. Red Canary is still researching the malicious advertising delivery vector behind these two related threats. Raspberry Robin activity increased, landing it in a tie for the number 2 spot for the month and highlighting that USB drives remain a common initial access vector. Red Canary saw reduced threat volume in April, pushing threats like CrackMapExec and Ippedo that often fall just outside the top 10 onto this month’s list.
Metasploit Framework would have made the list in a tie for eighth place, but we removed it from the top 10 due to its frequent use in customer-confirmed testing and approved activity. Metasploit is a penetration testing framework used to probe systematic vulnerabilities on networks and servers and conduct post-exploitation activity on compromised hosts.
Qbot activity wanes in some countries as affiliates target global markets
Qbot activity waxes and wanes in cycles, a pattern we’ve previously noted. The decline in Qbot activity, from number 1 in February 2023 to a tie for number 8 this month, suggests we are currently in a lower-activity phase. The security community has a few well-informed theories surrounding what Qbot distributors like TA570 and TA577 do during these quieter phases. For example, one theory is that adversaries test new delivery methodology in preparation for the next major campaign.
Factors like global visibility can be useful to consider when tracking threat trends and patterns, which is why we look at reports from other teams to supplement our own visibility. Taking note of them can offer interesting insights into adversary activity, and help intelligence analysts like those on our team track threats more accurately.
A recent report from Kaspersky offers evidence that Qbot distributors sometimes target specific global markets, a trend that can make the malware appear more or less active depending on an enterprise’s presence in those targeted markets. Kaspersky reported seeing significant waves of Qbot phishing emails on April 4, April 6, and April 12, 2023, with upwards of 1,000 emails distributed on each of these days.
Over 47 percent of phishing emails during this time frame affected users in either Germany , Argentina, or Italy. Only 3 percent of the emails were sent to users in the United States, making the threat artificially appear nearly inactive if only looking at that one country’s activity.
Lilac Lyrebird uses SEO poisoning and malvertising in their tech support scam
In April 2023, Red Canary began tracking a tech support scam activity cluster we named “Lilac Lyrebird,” which leverages search engine optimization (SEO) and malicious advertising. We have not seen activity from this cluster since mid-April, potentially due to infrastructure takedown. Even though this specific cluster may no longer be active, we assess the techniques it used could be relevant in future campaigns and wanted to share the details.
Tech support scams are not a newtype of threat. Adversaries historically used malware, social engineering, or a combination of the two to lure victims into downloading remote access software onto their endpoints. Lilac Lyrebird used slightly different tradecraft than previous tech support scams to gain initial access to victim systems. When users searched for “LogMeIn Rescue” or “LogMeIn123,” Lilac Lyrebird used SEO techniques to make their malicious sites as prominent as authentic sites for the legitimate remote access tool LogMeIn. On April 12, 2023, Lilac Lyrebird’s malicious site was the third result returned when searching for “LogMeIn123,” as seen below:
Top three search results for “LogMeIn123” on April 12, 2023, including Lilac Lyrebird’s malicious site
Lilac Lyrebird may also have used ads displayed on search engine pages masquerading as legitimate software download sites, a technique known as malicious advertising, or malvertising. SEO and malvertising were two of the most popular initial access trendsin 2022, used by a number of other threats, including Gootloader and IcedID.
After being tricked into navigating to Lilac Lyrebird’s fake LogMeIn websites, victims were redirected to a site that downloaded a file named support-logmeinrescue.exe.zip. After the ZIP was downloaded, observed follow-on behaviors included:
Executing a process named Support-LogMeInRescue.EXE.cmd
Opening a browser directing the victim to the legitimate URL https[:]//secure.logmeinrescue[.]com/customer/code.aspx to facilitate social engineering of a victim to trick them into entering a code in the URL
PowerShell connecting to an external domain such as support.onli-ne[.]com to download a .bat file
Creating a scheduled task to execute the downloaded .bat file
Sometimes malicious Lilac Lyrebird downloads caused a message box to appear on a victim’s screen asking them to call a phone number. During the phone call, the adversary likely instructed the victim to visit a legitimate website for LogMeIn and enter a code. Not all Lilac Lyrebird infections appeared to result in a message box with a phone number.
Giving adversaries remote access to endpoints in an environment opens up the possibility of information theft, credential theft, or additional malware installations, making the risk of successful Lilac Lyrebird or similar activity potentially significant. Organizations may find it useful to make users aware of the potential for tech support scams, and reiterate the proper channels through which users should communicate with approved tech support solutions. SEO and malicious advertising can be challenging to mitigate completely. To mitigate malicious ads, organizations should consider deploying ad-blocking software across the enterprise.
If victims are tricked into giving tech support scammers access to their endpoints, detecting suspicious follow-on activity will help you respond rapidly and reduce impact to your organization. For example, Lilac Lyrebird used PowerShell to download .bat files from external domains, presenting the detection opportunity below.
Detection opportunity: PowerShell using iex(New-Object Net.WebClient).DownloadString to download remotely hosted files
The following pseudo-detection analytic looks for instances of PowerShell using iex(New-Object Net.WebClient).DownloadString to download files hosted remotely. Adversaries can leverage this function to download malicious scripts or other code onto victim systems. This function can also have legitimate uses, for example by Chocolatey or Chef for updates, so additional tuning will likely be needed depending on your environment.
process == (powershell)
command_line_includes == (downloadstring)
command_line_does_not_include == (*)
Note: * is a placeholder for command line strings and processes associated with approved use of this function by PowerShell in your environment
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.