Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Last month we started calculating our trending threat data in a new way. We now filter threats related to customer-confirmed testing from our top 10 rankings. This change helps boost our signal-to-noise ratio, increasing the visibility of potential true positive malicious activity and decreasing the influence of known-good testing on the rankings. We’ll still comment on threats that would have made the top 10 had we included testing activity, but the monthly and year-to-date rankings no longer include this information.
Here’s how the numbers shook out for September 2022:
Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives
⬆ = trending up from previous month ⬇= trending down from previous month ➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Many threats from August 2022 stayed in the top 10 this September, however we did see a few changes. September saw a major resurgence in Qbot activity, putting Qbot in the number 1 spot and back into the top 10 for the first time since July 2022. Newcomers to the trending threat list include Web Companion, Zloader, and PureCrypter. AdSearch, previously at number 1, fell out of the top 10 altogether. SocGholish activity decreased as well, falling to 12th after tying for 5th in August.
Mimikatz would have made the list in a tie for 4th place, but was removed from the top 10 due to customer-confirmed testing activity. Mimikatz is an open source tool that dumps credentials using various techniques.
New Qbot campaign
Qbot historically cycles between periods of intense activity followed by quiet, near-dormancy. A sharp increase in Qbot activity paired with changes to the malware—likely in an attempt to make it more challenging for defenders to detect—can signal the start of a new Qbot campaign. In mid-September Red Canary observed such a surge in Qbot detections with clear differences from the activity we saw during earlier campaigns.
Qbot has created randomly named directories and files for years as part of the installation process. Previously, most of these random strings were made up of alphabetical characters, as well as random words, starting in June 2022. The newest wave of Qbot activity appears to use random numbers for similar purposes, for example E:\6342\6189.dat.
The current iteration of Qbot offers several detection opportunities based on unusual regsvr32.exe behavior. We have seen Qbot attempt to install renamed versions of regsvr32.exe. We have also seen regsvr32.exe attempt external network connections with no command-line arguments, which is extremely suspicious behavior. Note: It’s possible for Qbot to very rapidly change which processes it uses on any given day, so keep an eye out for similar unusual behavior from other system processes.
Detection opportunity: Network connections from the command line with no parameters
The following pseudo-detection analytic identifies outbound network connections with no command-line arguments or parameters by regsvr32.exe or rundll32.exe. It is unusual for these processes to attempt network connections with an empty command line, which can indicate malicious command and control (C2) activity.
process == (regsvr32.exe, rundll32.exe)
process_command_line_contains == (“”)
*Note: double quotes (“”) within the command line means null.
PureCrypter: A malicious loader
One newcomer to the top 10 list this month is PureCrypter. PureCrypter, first documented by Zscaler, is a malicious product sold to adversaries and used to both deploy malware and protect it from analysis. It allows adversaries to select a malicious payload of their choosing. PureCrypter leverages a combination of encryption and process injection techniques to download and execute the chosen payload, enabling the malware to evade endpoint and network security controls.
PureCrypter executes in two stages that rely on each other for execution:
Stage 1 initiates the download, decryption, and loading of the second stage
Stage 2 performs additional anti-analysis checks and loads the final chosen malware payload into memory using reflective code loading or injection
Red Canary and other organizations have seen PureCrypter used to deliver a number of information stealers and remote access tools (RAT) such as AsyncRAT, Agent Tesla, Azorult, Lokibot, NanoCore, RedLine, Remcos, and Raccoon. Note that here at Red Canary we track PureCrypter-stage behaviors as separate from the adversary-selected final payload.
PureCrypter often uses encoded PowerShell commands:
Commands can include Start-Sleep delays of varying lengths, for example powershell.exe -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAyAA== , which decodes to Start-Sleep -Seconds 12
Commands can attempt to set Windows Defender exclusions, for example powershell.exe Set-MpPreference -ExclusionPath
Since PureCrypter can use process injection in its second stage, telemetry may detect activity that suggests process injection behavior.
Detection opportunity: A shortened -EncodedCommand flag in PowerShell commands
The following pseudo-detection analytic identifies powershell.exe commands that include a shortened version of the -EncodedCommand flag. Adversaries can use PowerShell’s ability to recognize shortened flags to obfuscate malicious encoded commands. Note that legitimate processes such as Chocolatey may use shortened -EncodedCommand flags.
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.