Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: November 2023

LummaC2 and FakeBat flutter in, Yellow Cockatoo ascends, and Qbot lingers in this month’s edition of Intelligence Insights

The Red Canary Team
Originally published . Last modified .

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.

Highlights

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. 

Here’s how the numbers shook out for October 2023:

Last month's rankThreat nameThreat description
Last month's rank:

1

Threat name:Threat description:

Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects

Last month's rank:

2*

Threat name:Threat description:

Collection of Python classes to construct/manipulate network protocols

Last month's rank:

2*

Threat name:Threat description:

Open source tool that dumps credentials using various techniques

Last month's rank:

4*

Threat name:Threat description:

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives

Last month's rank:

4*

Threat name:

LummaC2

Threat description:

Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads

Last month's rank:

➡ 4*

Threat name:Threat description:

Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files

Last month's rank:

7

Threat name:Threat description:

Penetration testing framework used to probe systematic vulnerabilities on networks and servers and conduct post-exploitation activity on compromised hosts

Last month's rank:

8*

Threat name:

Ducktail

Threat description:

Stealer designed to steal browser data from Brave, Edge, Chrome, and Firefox, specifically targeting active authentic Facebook sessions with the goal of hijacking Facebook business accounts if the victim has access

Last month's rank:

8*

Threat name:

FakeBat

Threat description:

Malware-as-a-Service loader delivered via malvertising lures that masquerade as legitimate popular software to download and install one or more payloads, such as a stealer or banking trojan

Last month's rank:

8*

Threat name:Threat description:

Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

Yellow Cockatoo continued its resurgence this month, climbing from #8 in September to claim the top spot in October. Along with many of our usual suspects like Raspberry Robin and Gamarue, this month’s rankings saw an old nemesis reappear and a couple of newcomers joining in. Two threats we have been tracking for most of the year made significant strides and cracked the top 10 for the first time: LummaC2 (tied for #4) and FakeBat (tied for #8).

LummaC2 is a stealer available for purchase on underground forums that has gained popularity among multiple adversaries. Initial access varies according to the delivery method and loader chosen by the adversary, so early detection telemetry varies from case to case. One increasingly popular delivery option for LummaC2 and other stealers is FakeBat. First reported in the wild late last year, FakeBat relies on search engine optimization (SEO) to promote malvertising lures. The lures masquerade as installers of legitimate popular software like WinRAR, KeePass, and Wireshark. Once downloaded, FakeBat leverages MSIX files and encoded PowerShell to drop one or more payloads like RedLine or Ursnif.

Rounding out the top 10 is our old nemesis Qbot. But don’t worry! Despite reappearing in the rankings for the first time since its takedown in late August 2023, Qbot has not suddenly returned to the threat landscape. As they say in the Iron Islands, “what is dead may never die,” and this is the case with Qbot. Prevalent threats often leave behind persistent artifacts long after their power has waned. We sometimes see activity that has had ongoing persistence in a system or environment for months or even years. That was the case with Qbot in October; we had multiple new customers with old Qbot persistence mechanisms still attempting to execute. Despite its status as a latent threat, we chose to include Qbot in this month’s top 10 to highlight the importance of thorough remediation even when an old foe appears to be defeated. While the persistent code no longer connects back to active adversary infrastructure, it still draws system resources. Lingering malicious code also represents a potential future avenue of attack for new adversaries who might drop a new payload where the old one persists.

Prevalent threats often leave behind persistent artifacts long after their power has waned.

One way that Qbot can establish persistence is by installing a malicious DLL on the victim system, often in a directory like AppData\Roaming. Instances of regsvr32.exe silently executing a DLL in such a location could be an indication of persistence, which gives us a detection opportunity.

 


Detection opportunity: regsvr32.exe silently executing code stored in the AppData\Roaming directory

The following pseudo-detection analytic identifies regsvr32.exe silently executing code from the AppData\Roaming directory, behavior seen for threats like Qbot that install malicious DLLs for persistence. Some legitimate applications may store DLLs in the AppData\Roaming folder, but they are typically in application-related subdirectories. The parent process will also be related to the legitimate application.

process == (regsvr32.exe)

&&

command_includes (/s, -s)

&&

command_includes (appdata\roaming)

&&

parent_process_does_not_include (*)

&&

command_line_does_not_include (*)

 

Note: * is a placeholder for approved applications in your environment that silently execute code from AppData/Roaming

 

Stealers evolve to bypass Google Chrome’s new app-bound encryption

 

Intelligence Insights: October 2024

 

Intelligence Insights: September 2024

 

Recent dllFake activity shares code with SecondEye

Subscribe to our blog

 
 
Back to Top