Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: April 2024

SocGholish soars and we greet Grandoreiro in this month’s edition of Intelligence Insights.

The Red Canary Team
Originally published . Last modified .

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.

 

Highlights

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. 

Here’s how the numbers shook out for March 2024:

Last month's rankThreat nameThreat description
Last month's rank:

1

Threat name:Threat description :

Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code

Last month's rank:

➡ 2

Threat name:Threat description :

Open source tool that dumps credentials using various techniques

Last month's rank:

3

Threat name:Threat description :

Collection of Python classes to construct/manipulate network protocols

Last month's rank:

4*

Threat name:

Danabot

Threat description :

Modular trojan used by multiple adversaries that is distributed via phishing campaigns, pirated software, and the Fallout exploit kit

Last month's rank:

4*

Threat name:Threat description :

Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files

Last month's rank:

4*

Threat name:Threat description :

Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems

Last month's rank:

7*

Threat name:Threat description :

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives

Last month's rank:

7*

Threat name:Threat description :

JScript dropper/downloader that typically poses as a document containing an "agreement,” often distributed through search engine redirects

Last month's rank:

7*

Threat name:Threat description :

Penetration testing framework used to probe systematic vulnerabilities on networks and servers to conduct post-exploitation activity on compromised hosts

Last month's rank:

10*

Threat name:

AsyncRAT

Threat description :

Open source remote access tool with multiple functions including keylogging and remote desktop control

Last month's rank:

10*

Threat name:Threat description :

Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets

Last month's rank:

10*

Threat name:

Grandoreiro

Threat description :

Banking trojan written in the Delphi programming language that primarily targets users in Latin America and other Spanish-speaking countries

Last month's rank:

10*

Threat name:

More_eggs

Threat description :

JScript backdoor sold by a malware-as-a-service (MaaS) provider

Last month's rank:

10*

Threat name:Threat description :

Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

SocGholish moved to the top spot on this month’s most prevalent threat list, the first time it’s reached number 1 since February 2023. Many of the top threats were present on last month’s list, but not all of this month’s threats are carryovers. For instance, Danabot saw a wave of activity that landed it in a three way tie for 4th, the first time the trojan has made the list since September 2023. AsyncRAT, Atomic Stealer, and PlugX all dropped to share a tie for 10th alongside More_eggs, which hasn’t appeared in the top 10 since its debut in August 2023. Also in a tie for 10th is the Grandoreiro banking trojan, another newcomer to the list that you can read more about below.

Hola, Grandoreiro

Grandoreiro is part of a family of banking trojans that primarily targets users in Latin America and Spanish-speaking countries. Grandoreiro malware has been active since at least 2016, and we’ve been tracking it since we first saw it in customer environments in November 2022. Like the other trojans in this malware family, it is written in Delphi and utilizes techniques to evade sandbox analysis.

Grandoreiro is typically distributed via phishing emails containing links that download malicious ZIP files, often with government or financial themes. In one example we observed, the malicious ZIP file presented itself as INFONAVIT-related legal action—INFONAVIT, the Instituto del Fondo Nacional de la Vivienda para los Trabajadores, is the largest mortgage lender in Latin America.

The ZIP contained a malicious binary that initiated outbound network communications and installed follow-on executables. One of those executables, installed in C:\ProgramData, frequently had a filename like ypkwfDriverDetectMastertvDriverRepairPro.exe as seen in this similar sample. The driver-themed executable proceeded to make external network connections, write additional files to disk, and leverage PowerShell to establish persistence via registry run keys.

Interpol recently announced a successful takedown initiative against Grandoreiro operators in early 2024, but given the many variants in the malware family, activity will likely continue.

Holding down the Fortinet vulnerability

On April 8, Red Canary published a blog post sharing details of Fortinet FortiClient EMS vulnerability exploitation that we observed in late March 2024. We detected adversaries exploiting CVE-2023-48788 in order to install unauthorized remote monitoring and management (RMM) tools and PowerShell backdoors on target systems. This activity followed a pattern, beginning with inbound external network connections to the FCMdaemon process and ending with attempts to download and execute RMM tools or PowerShell-based backdoors.

Adversaries like to abuse RMM tools to remotely execute a wide variety of actions on a victim’s endpoint. Since organizations use RMM tools in regular business operations, adversaries can attempt to evade detection for as long as possible by maintaining a veneer of legitimacy.

Updating vulnerable Forticlient EMS installations is the most expedient way to remediate exploitation risk. For organizations that are unable to immediately patch CVE-2023-48788, the post-exploitation activity we’ve observed is detectable via process lineage, network connections, and the presence of unauthorized RMM tools. One example of detectable post-exploitation activity we saw involved PowerShell processes spawning via cmd.exe with sqlservr.exe as a parent process. These PowerShell processes made outbound network connections to unknown IP addresses or domains to download additional tools, which gives us a detection opportunity.

 


Detection opportunity: PowerShell spawned by suspicious parent processes and making outbound network communications

This pseudo detection analytic identifies PowerShell processes with suspicious process lineage, similar to activity observed following CVE-2023-48788 exploitation. This logic would detect cmd.exe spawning with sqlservr.exe as the parent process and PowerShell as the child process, an atypical combination.

 

parent_process == (sqlservr.exe)

&&

process == (cmd.exe)

&&

child_process == (powershell.exe)

&&

has_network_connection

 

Note: This detector may require tuning depending on your environment.

 


 

Additionally, organizations should consider how they can mitigate and detect the use of unauthorized RMM tools and backdoors. Application controls like allowlisting and blocklisting are the best way to ensure that adversaries aren’t able to use unauthorized RMM tools in your environment. To learn more about the CVE-2023-48788 exploitation we observed, and for additional detection and mitigation opportunities, see our blog post.

 

Intelligence Insights: September 2024

 

Recent dllFake activity shares code with SecondEye

 

Intelligence Insights: August 2024

 

Intelligence Insights: July 2024

Subscribe to our blog

 
 
Back to Top