Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for September 2023:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ➡ 1 | Threat name: Charcoal Stork | Threat description: Suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper |
| Last month's rank: ➡ 2 | Threat name: | Threat description: Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 3 | Threat name: | Threat description: Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites |
| Last month's rank: ⬆ 4* | Threat name: | Threat description: Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 4* | Threat name: | Threat description: Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
| Last month's rank: ⬆ 6 | Threat name: DarkGate | Threat description: Loader offered as malware-as-a-service delivered via phishing campaigns by multiple adversaries |
| Last month's rank: ⬇ 7 | Threat name: | Threat description: Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬇ 8 | Threat name: | Threat description: Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
| Last month's rank: ⬆ 9* | Threat name: | Threat description: Open-source tool used to identify attack paths and relationships in Active Directory |
| Last month's rank: ➡ 9* | Threat name: | Threat description: Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
In this month’s top 10, Charcoal Stork and Gamarue retained their respective places at 1 and 2 from last month, followed by several of our usual suspects. Raspberry Robin climbed to 4, the highest it’s been in the rankings since May 2023. Yellow Cockatoo, which reappeared in June 2023 after an almost year-long hiatus, decreased enough in activity to land at 8. BloodHound made it to the top 10 for the first time since April 2023, tied for 9 with Cobalt Strike.
DarkGate crashes the party
We have one newcomer to the top 10 this month. DarkGate, a loader offered on cybercrime forums as Malware-as-a-Service (MaaS) and typically distributed via phishing, makes its first appearance at spot 6.
DarkGate has been around as a malware family since 2018. Its developers began offering it as MaaS in June 2023, which increased its use exponentially. Red Canary’s first known observation of DarkGate was in late August 2023, with its use increasing over the course of September. In late September, TA577 began distributing DarkGate as one of their phishing payloads – along with IcedID and Pikabot – to replace Qbot post-takedown. This is only one example of the multiple adversaries currently distributing DarkGate as a payload. Red Canary has directly observed multiple distinct delivery methods, further evidence of its use by multiple groups.
DarkGate’s popularity is likely due to a number of built-in features, including defense evasion, command & control (C2), and persistence capabilities. It also has the ability to download and execute additional payloads. DarkGate has reportedly been seen as part of pre-ransomware activity, making it a significantly higher risk if detected in your environment.
One way we have seen DarkGate delivered is through a .zip archive containing a Visual Basic Script (.vbs) loader. The file is often located in the AppData\Local directory and contains the victim username, like in this example:
C:\Users\username\AppData\Local\Temp\Temp1_username_k77268j.zip\username_k77268j.vbsThis file location, plus the use of wscript.exe or cscript.exe to execute the .vbs file, gives us a detection opportunity.
Detection opportunity: wscript.exe or cscript.exe executing .vbs files that originate from a .zip file, from the %APPDATA% directory
The following pseudo-detection analytic identifies wscript.exe or cscript.exe executing .vbs files from the %APPDATA% directory, specifically files that originate from a .zip file. Typically the .vbs file is a dropper that reaches out to external resources to download additional payloads like DarkGate. If the .vbs executes successfully, there will be follow-on file modifications, network connections, and/or child processes.
process == (wscript.exe, cscript.exe) && command_includes (appdata, .zip, .vbs) && has filemod OR childproc OR netconn