Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. Starting this month, we’re slicing our trending threat data in a new way!
Without fully understanding an adversary’s intentions, it can be difficult to distinguish the devilish deeds from the deliberate drills—the devil is in the details. Many of our customers let us know when Red Canary detects threats that are sanctioned testing. Going forward, we will use that customer acknowledgement to filter out threats related to customer-confirmed testing from our top 10 rankings. This change helps boost our signal-to-noise ratio, increasing the visibility of potential true positive malicious activity and decreasing the influence of known-good testing on the rankings. We’ll still comment on threats that would have made the top 10 had we included testing activity, but the monthly and year-to-date rankings will no longer include this information.
Here’s how the newly organized numbers shook out for August 2022:
| August rank | Threat name | Threat description |
|---|---|---|
| August rank: ➡ 1 | Threat name: Adsearch | Threat description : Persistent executable payload surreptitiously installed via ISO files delivered by malvertising links, similar to ChromeLoader |
| August rank: ⬆ 2 | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL |
| August rank: ⬆ 3* | Threat name: | Threat description : Dropper/downloader, often distributed through search engine redirects |
| August rank: ⬆ 3* | Threat name: | Threat description : Open source tool used to identify attack paths and relationships in Active Directory |
| August rank: ⬆ 5* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| August rank: ⬆ 5* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| August rank: ⬇7 | Threat name: | Threat description : Malware family associated with ad fraud activity through the distribution of adware applications |
| August rank: ⬇8* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| August rank: ⬆ 8* | Threat name: | Threat description : Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language |
| August rank: ⬇10* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| August rank: ⬆ 10* | Threat name: Vidar | Threat description : Information stealer forked from the Arkei malware family. In use by multiple adversaries with a variety of delivery mechanisms |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
AdSearch, last month’s newcomer to our top 10 trending threat rankings, remained in the number 1 spot. Gootloader activity increased, jumping from 10th in July to tie for 3rd in August. SocGholish, after several months of reduced activity, shot back up to 5th place for the highest ranking it’s had since April 2022. Emotet and Yellow Cockatoo both fell out of the top 10 after previously sharing 5th place. Vidar, an information stealer, makes its first appearance in the top 10 this year.
CrackMapExec would have made the list in a tie for 10th place, but we removed it from the top 10 due to customer-confirmed testing activity. A post-exploitation tool commonly used for credential access, enumeration, and lateral movement, CrackMapExec leverages Impacket and PowerSploit.
Operators increasingly adopt ISO files for malware delivery
Over the past few months, Red Canary and other security researchers have observed adversaries increasingly embedding malware in disk images like ISO files. Disk images allow operators to hide documents weaponized with malicious macros and circumvent protections associated with Microsoft’s decision to block VBA macros from the internet by default. In many cases, victim systems are configured to automatically mount and run ISO files. Operators have used ISOs to deliver several malware families, including Bumblebee, Emotet, and Qbot.
Most recently, Red Canary observed this tradecraft in campaigns delivering IcedID, a known ransomware precursor. In August 2022, we saw an IcedID infection result from the delivery of an ISO file inside a ZIP archive that masqueraded as someone’s curriculum vitae. The ISO file contained a Windows shortcut (LNK) file and a DLL. When opened, the LNK file executed the DLL, initiating the IcedID infection chain.
Preventing these files from executing can be an effective way to avert damaging intrusions. If your users do not have a business need to mount container files, we recommend taking these steps to prevent Windows from auto mounting container files.
While IcedID operators have shifted TTPs over time, detection analytics designed to look for behaviors associated with IcedID continue to identify potential IcedID activity.
Detection opportunity: regsvr32.exe registering a file without a DLL extension
The following pseudo-detection analytic identifies attempts by regsvr32.exe to register a file that does not have a DLL extension. While this technique shows up with a number of suspicious and malicious binaries, it can be legitimately used for certain codecs or Internet Explorer controls. Check to see if the command line and/or the file in question are unique in your environment.
process == regsvr32.exe
&&
command_line_does_not_include == (.dll, *)
Note: * is a placeholder for file extensions or strings associated with legitimate regsvr32 use in your specific environment