⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
AdSearch, last month’s newcomer to our top 10 trending threat rankings, remained in the number 1 spot. Gootloader activity increased, jumping from 10th in July to tie for 3rd in August. SocGholish, after several months of reduced activity, shot back up to 5th place for the highest ranking it’s had since April 2022. Emotet and Yellow Cockatoo both fell out of the top 10 after previously sharing 5th place. Vidar, an information stealer, makes its first appearance in the top 10 this year.
CrackMapExec would have made the list in a tie for 10th place, but we removed it from the top 10 due to customer-confirmed testing activity. A post-exploitation tool commonly used for credential access, enumeration, and lateral movement, CrackMapExec leverages Impacket and PowerSploit.
Operators increasingly adopt ISO files for malware delivery
Over the past few months, Red Canary and other security researchers have observed adversaries increasingly embedding malware in disk images like ISO files. Disk images allow operators to hide documents weaponized with malicious macros and circumvent protections associated with Microsoft’s decision to block VBA macros from the internet by default. In many cases, victim systems are configured to automatically mount and run ISO files. Operators have used ISOs to deliver several malware families, including Bumblebee, Emotet, and Qbot.
Most recently, Red Canary observed this tradecraft in campaigns delivering IcedID, a known ransomware precursor. In August 2022, we saw an IcedID infection result from the delivery of an ISO file inside a ZIP archive that masqueraded as someone’s curriculum vitae. The ISO file contained a Windows shortcut (LNK) file and a DLL. When opened, the LNK file executed the DLL, initiating the IcedID infection chain.
Preventing these files from executing can be an effective way to avert damaging intrusions. If your users do not have a business need to mount container files, we recommend taking these steps to prevent Windows from auto mounting container files.
While IcedID operators have shifted TTPs over time, detection analytics designed to look for behaviors associated with IcedID continue to identify potential IcedID activity.
regsvr32.exe registering a file without a DLL extension
The following pseudo-detection analytic identifies attempts by
regsvr32.exe to register a file that does not have a DLL extension. While this technique shows up with a number of suspicious and malicious binaries, it can be legitimately used for certain codecs or Internet Explorer controls. Check to see if the command line and/or the file in question are unique in your environment.
command_line_does_not_include == (
Note: * is a placeholder for file extensions or strings associated with legitimate
regsvr32 use in your specific environment