Highlights from July
ChromeLoader remained at the top of our most prevalent threat list for the second month in a row. We have no newcomers to the top 10 this month, as familiar faces shift positions and return to the list. dllFake (one of last month’s newcomers) and LummaC2 fell off the list, while Mimikatz, PlugX, and Raspberry Robin each reclaimed a spot.
A major theme this month, indeed one of the major themes for the year to date, is something we like to call “browser skulduggery.” This kind of activity—including fake browser updates, browser hijacking, and infostealers targeting browser data—encompasses nearly half of the threats on our top 10 list. The end game varies from threat-to-threat; redirecting web traffic to ads, accessing browser information and cookies, and malicious payload delivery are all potential outcomes. You can read more about different kinds of browser threats below.
This month’s Top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for July 2024:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ➡ 1 | Threat name: | Threat description : Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Red Canary-named cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Month's rank: ⬆ 4 | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Month's rank: ⬆ 5* | Threat name: Atomic Stealer | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Month's rank: ⬆ 5* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Month's rank: ➡ 5* | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬇ 8* | Threat name: Adload | Threat description : macOS malware that attempts to hijack and redirect user web browsing traffic |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drive |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Digging into “browser skulduggery”
As we live, work, and play in our browsers, they have become both an initial access vector and a trove of potentially useful information for adversaries to take advantage of. Adversary goals range from relatively benign adware to pre-ransomware activity to credential theft. This month, five threats on our list—ChromeLoader, SocGholish, Scarlet Goldfinch, Atomic Stealer, and Adload—all fall under this classification.
Let’s take a look at the categories these threats fall into, with some additional examples and detection opportunities.
Fake updates
Threats leveraging fake browser updates as an initial access vector, while not at all new, seem to have increased in scope and frequency over the past couple of years. Like fake software updates, fake browser updates abuse user trust by tricking victims into downloading malicious executables posing as important browser updates. Chromium-based browsers are frequently targeted, but Firefox and other browser types are also taken advantage of.
This technique is currently employed by a number of threats, including SocGholish, Scarlet Goldfinch, FakeSG/Rogue Raticate, and ClearFake. Other threats have also used this technique (albeit less commonly), including Yellow Cockatoo and Fakebat, among others.
Mitigation strategies for this kind of threat can be challenging. We want users to keep their software and browsers updated for security purposes, so discouraging them from doing so altogether is not ideal. Most browsers automatically update or have a very specific way they will prompt the user for an update. Ensure users are aware of the legitimate update procedures for their browser of choice. Most popular browsers will not prompt with a pop-up ad that reroutes the user to an unfamiliar URL location.
Another strategy, which we have shared before, is to update group policy object (GPO) settings for users to make scripts open in Notepad, which stops the execution chain for script-using threats like SocGholish and Scarlet Goldfinch in its tracks.
The use of malicious scripts by these kinds of threats gives us a detection opportunity.
Detection opportunity: Scripts executed from the Explorer.exe zip function
This pseudo detection analytic identifies scripts executed from the built-in Explorer.exe zip folder function. Threats like SocGholish and Scarlet Goldfinch sometimes use malicious scripts compressed via a zip file as a form of packing in order to evade network-based security. This kind of analytic may be too noisy if your environment commonly uses scripts to compress and share reports.
process == (wscript)
&&
command_line_includes == (users, temp)
&&
command_line_includes == (.zip, .js )
&&
has_external_netconn
Redirects & hijackers
Another way adversaries use browsers to meet their goals is via browser redirects and browser hijacking. Browser redirecting/hijacking, as the name suggests, forces browsers to navigate to sites the user did not intend to browse to.
One way to do this is search engine optimization (SEO) poisoning, wherein adversaries attempt to make their malicious sites more prominent than legitimate sites when search results are returned by Google and other search engines. The malicious sites may present whatever lure the adversary wants to use, frequently appearing as a fake installer or a document download, or even one of the fake browser updates mentioned above. Threats using this technique include Gootloader and ChromeLoader.
Another is by directly affecting a browser’s settings, usually achieved via a separate download like bundled software, potentially unwanted program (PUP), malicious browser extension, or other downloads. This is typically done for financial gain by redirecting users to specific pages for ad revenue, Adload being one example.
Many of the more malicious browser hijackers aren’t installed from official extension stores or legitimate software download sites. If organizations can prevent unapproved extensions from being installed outside of the extension manager, that would mitigate risk from malicious extensions. As always, user education regarding approved software download and installation is advised.
Adload in particular uses macOS cron jobs to execute binaries as a form of persistence, which gives us a detection opportunity.
Detection opportunity: macOS cron jobs executing binaries and scripts within an Application Support folder
This pseudo detection analytic identifies macOS cron jobs executing binaries and scripts within an Application Support folder. This is used by threats like Adload as a form of malicious persistence. Some legitimate applications use cron jobs on macOS, and their execution will include their names in their file path or filenames. Child processes of non-legitimate uses of this behavior will likely reach out to malicious domains.
operating_system_is == (osx)
&&
parent_process == (cron)
&&
command_line_includes == (application\ support)
&&
command_line_includes == (.zip, .js )
&&
command_line_does_not_include == (*)
Note: * is a placeholder for strings associated with legitimate use of cron jobs in your environment
Stealers
Information stealers, also called infostealers or just stealers, are malware designed to target sensitive information on an endpoint. Stealers frequently make an appearance on our monthly top 10 list, with an increasingly diverse array of options available on the market for adversaries to use. Stealers have developed along with the threat landscape that now encompasses valuable browser data like credentials and cookies. Prolific stealers like RedLine and Vidar have added capabilities to target browser data. Others like LummaC2, Atomic Stealer, and Ducktail are designed with browser data theft as a primary goal. With new stealers regularly being developed and released, it seems plausible that more of them will target browser data as part of their design.
For more information on stealers, check out Principal Malware Analyst Tony Lambert’s webinar from earlier this year: Grand Theft Creds.
Stealer mitigation and detection is similar to detecting other types of malware on an endpoint. Fortunately there are a number of opportunities to detect stealers during their delivery, installation, execution, or data theft stages. For example, LummaC2 reaches out to remote resources via encoded PowerShell commands relatively early in its execution, and that gives us a detection opportunity.
Detection opportunity: A shortened -EncodedCommand flag in PowerShell commands
The following pseudo detection analytic identifies powershell.exe commands that include a shortened version of the -EncodedCommand flag. Stealers like LummaC2 can use PowerShell’s ability to recognize shortened flags to obfuscate malicious encoded commands. Note that legitimate processes such as Chocolatey may use shortened -EncodedCommand flags.
process == powershell.exe
&&
Deobfuscated_command_line_includes == (-e , -ec , -en, -enc, -enco, -encod, -encode, -encoded, -encodedc, -encodedco, -encodedcom, -encodedcomm, -encodedcomma, -encodedcomman)
Dive into the 2024 Threat Detection Report
Related Articles
Recent dllFake activity shares code with SecondEye
Scarlet Goldfinch: Taking flight with NetSupport Manager