Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for October 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1 | Threat name: | Threat description: Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
| Last month's rank: ⬆ 2* | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 2* | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬇ 4* | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 4* | Threat name: LummaC2 | Threat description: Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
| Last month's rank: ➡ 4* | Threat name: | Threat description: Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
| Last month's rank: ⬆ 7 | Threat name: | Threat description: Penetration testing framework used to probe systematic vulnerabilities on networks and servers and conduct post-exploitation activity on compromised hosts |
| Last month's rank: ⬆ 8* | Threat name: Ducktail | Threat description: Stealer designed to steal browser data from Brave, Edge, Chrome, and Firefox, specifically targeting active authentic Facebook sessions with the goal of hijacking Facebook business accounts if the victim has access |
| Last month's rank: ⬆ 8* | Threat name: FakeBat | Threat description: Malware-as-a-Service loader delivered via malvertising lures that masquerade as legitimate popular software to download and install one or more payloads, such as a stealer or banking trojan |
| Last month's rank: ⬆ 8* | Threat name: | Threat description: Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Yellow Cockatoo continued its resurgence this month, climbing from #8 in September to claim the top spot in October. Along with many of our usual suspects like Raspberry Robin and Gamarue, this month’s rankings saw an old nemesis reappear and a couple of newcomers joining in. Two threats we have been tracking for most of the year made significant strides and cracked the top 10 for the first time: LummaC2 (tied for #4) and FakeBat (tied for #8).
LummaC2 is a stealer available for purchase on underground forums that has gained popularity among multiple adversaries. Initial access varies according to the delivery method and loader chosen by the adversary, so early detection telemetry varies from case to case. One increasingly popular delivery option for LummaC2 and other stealers is FakeBat. First reported in the wild late last year, FakeBat relies on search engine optimization (SEO) to promote malvertising lures. The lures masquerade as installers of legitimate popular software like WinRAR, KeePass, and Wireshark. Once downloaded, FakeBat leverages MSIX files and encoded PowerShell to drop one or more payloads like RedLine or Ursnif.
Rounding out the top 10 is our old nemesis Qbot. But don’t worry! Despite reappearing in the rankings for the first time since its takedown in late August 2023, Qbot has not suddenly returned to the threat landscape. As they say in the Iron Islands, “what is dead may never die,” and this is the case with Qbot. Prevalent threats often leave behind persistent artifacts long after their power has waned. We sometimes see activity that has had ongoing persistence in a system or environment for months or even years. That was the case with Qbot in October; we had multiple new customers with old Qbot persistence mechanisms still attempting to execute. Despite its status as a latent threat, we chose to include Qbot in this month’s top 10 to highlight the importance of thorough remediation even when an old foe appears to be defeated. While the persistent code no longer connects back to active adversary infrastructure, it still draws system resources. Lingering malicious code also represents a potential future avenue of attack for new adversaries who might drop a new payload where the old one persists.
Prevalent threats often leave behind persistent artifacts long after their power has waned.
One way that Qbot can establish persistence is by installing a malicious DLL on the victim system, often in a directory like AppData\Roaming. Instances of regsvr32.exe silently executing a DLL in such a location could be an indication of persistence, which gives us a detection opportunity.
Detection opportunity: regsvr32.exe silently executing code stored in the AppData\Roaming directory
The following pseudo-detection analytic identifies regsvr32.exe silently executing code from the AppData\Roaming directory, behavior seen for threats like Qbot that install malicious DLLs for persistence. Some legitimate applications may store DLLs in the AppData\Roaming folder, but they are typically in application-related subdirectories. The parent process will also be related to the legitimate application.
process == (regsvr32.exe)
&&
command_includes (/s, -s)
&&
command_includes (appdata\roaming)
&&
parent_process_does_not_include (*)
&&
command_line_does_not_include (*)
Note: * is a placeholder for approved applications in your environment that silently execute code from AppData/Roaming