Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: August 2024

Keep tabs on ChromeLoader and other browser-related threats in this month’s edition of Intelligence Insights

The Red Canary Team
Originally published . Last modified .

Highlights from July

ChromeLoader remained at the top of our most prevalent threat list for the second month in a row. We have no newcomers to the top 10 this month, as familiar faces shift positions and return to the list. dllFake (one of last month’s newcomers) and LummaC2 fell off the list, while Mimikatz, PlugX, and Raspberry Robin each reclaimed a spot.

A major theme this month, indeed one of the major themes for the year to date, is something we like to call “browser skulduggery.” This kind of activity—including fake browser updates, browser hijacking, and infostealers targeting browser data—encompasses nearly half of the threats on our top 10 list. The end game varies from threat-to-threat; redirecting web traffic to ads, accessing browser information and cookies, and malicious payload delivery are all potential outcomes. You can read more about different kinds of browser threats below.

This month’s Top 10 threats

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.

Here’s how the numbers shook out for July 2024:

Month's rankThreat nameThreat description
Month's rank:

➡ 1

Threat name:Threat description :

Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites

Month's rank:

2*

Threat name:Threat description :

Red Canary-named cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities

Month's rank:

2*

Threat name:Threat description :

Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code

Month's rank:

4

Threat name:Threat description :

Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems

Month's rank:

5*

Threat name:

Atomic Stealer

Threat description :

Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets

Month's rank:

5*

Threat name:Threat description :

Open source tool that dumps credentials using various techniques

Month's rank:

➡ 5*

Threat name:Threat description :

Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access

Month's rank:

8*

Threat name:

Adload

Threat description :

macOS malware that attempts to hijack and redirect user web browsing traffic

Month's rank:

8*

Threat name:Threat description :

Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language

Month's rank:

8*

Threat name:Threat description :

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drive

Month's rank:

8*

Threat name:Threat description :

Collection of Python classes to construct/manipulate network protocols

Month's rank:

8*

Threat name:Threat description :

Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging

Month's rank:

8*

Threat name:Threat description :

Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

 

Digging into “browser skulduggery”

As we live, work, and play in our browsers, they have become both an initial access vector and a trove of potentially useful information for adversaries to take advantage of. Adversary goals range from relatively benign adware to pre-ransomware activity to credential theft. This month, five threats on our list—ChromeLoader, SocGholish, Scarlet Goldfinch, Atomic Stealer, and Adload—all fall under this classification.

Let’s take a look at the categories these threats fall into, with some additional examples and detection opportunities.

Fake updates

Threats leveraging fake browser updates as an initial access vector, while not at all new, seem to have increased in scope and frequency over the past couple of years. Like fake software updates, fake browser updates abuse user trust by tricking victims into downloading malicious executables posing as important browser updates. Chromium-based browsers are frequently targeted, but Firefox and other browser types are also taken advantage of.

This technique is currently employed by a number of threats, including SocGholish, Scarlet Goldfinch, FakeSG/Rogue Raticate, and ClearFake. Other threats have also used this technique (albeit less commonly), including Yellow Cockatoo and Fakebat, among others.

Mitigation strategies for this kind of threat can be challenging. We want users to keep their software and browsers updated for security purposes, so discouraging them from doing so altogether is not ideal. Most browsers automatically update or have a very specific way they will prompt the user for an update. Ensure users are aware of the legitimate update procedures for their browser of choice. Most popular browsers will not prompt with a pop-up ad that reroutes the user to an unfamiliar URL location.

Another strategy, which we have shared before, is to update group policy object (GPO) settings for users to make scripts open in Notepad, which stops the execution chain for script-using threats like SocGholish and Scarlet Goldfinch in its tracks.

 

 

The use of malicious scripts by these kinds of threats gives us a detection opportunity.

 


Detection opportunity: Scripts executed from the Explorer.exe zip function

This pseudo detection analytic identifies scripts executed from the built-in Explorer.exe zip folder function. Threats like SocGholish and Scarlet Goldfinch sometimes use malicious scripts compressed via a zip file as a form of packing in order to evade network-based security. This kind of analytic may be too noisy if your environment commonly uses scripts to compress and share reports.

 

process == (wscript)

&&

command_line_includes == (users, temp)

&&

command_line_includes == (.zip, .js )

&&

has_external_netconn

 


Redirects & hijackers

Another way adversaries use browsers to meet their goals is via browser redirects and browser hijacking. Browser redirecting/hijacking, as the name suggests, forces browsers to navigate to sites the user did not intend to browse to.

One way to do this is search engine optimization (SEO) poisoning, wherein adversaries attempt to make their malicious sites more prominent than legitimate sites when search results are returned by Google and other search engines. The malicious sites may present whatever lure the adversary wants to use, frequently appearing as a fake installer or a document download, or even one of the fake browser updates mentioned above. Threats using this technique include Gootloader and ChromeLoader.

Another is by directly affecting a browser’s settings, usually achieved via a separate download like bundled software, potentially unwanted program (PUP), malicious browser extension, or other downloads. This is typically done for financial gain by redirecting users to specific pages for ad revenue, Adload being one example.

Many of the more malicious browser hijackers aren’t installed from official extension stores or legitimate software download sites. If organizations can prevent unapproved extensions from being installed outside of the extension manager, that would mitigate risk from malicious extensions. As always, user education regarding approved software download and installation is advised.

Adload in particular uses macOS cron jobs to execute binaries as a form of persistence, which gives us a detection opportunity.

 


Detection opportunity: macOS cron jobs executing binaries and scripts within an Application Support folder

This pseudo detection analytic identifies macOS cron jobs executing binaries and scripts within an Application Support folder. This is used by threats like Adload as a form of malicious persistence. Some legitimate applications use cron jobs on macOS, and their execution will include their names in their file path or filenames. Child processes of non-legitimate uses of this behavior will likely reach out to malicious domains.

 

operating_system_is == (osx)

&&

parent_process == (cron)

&&

command_line_includes == (application\ support)

&&

command_line_includes == (.zip, .js )

&&

command_line_does_not_include == (*)

 

Note: * is a placeholder for strings associated with legitimate use of cron jobs in your environment

 


Stealers

Information stealers, also called infostealers or just stealers, are malware designed to target sensitive information on an endpoint. Stealers frequently make an appearance on our monthly top 10 list, with an increasingly diverse array of options available on the market for adversaries to use. Stealers have developed along with the threat landscape that now encompasses valuable browser data like credentials and cookies. Prolific stealers like RedLine and Vidar have added capabilities to target browser data. Others like LummaC2, Atomic Stealer, and Ducktail are designed with browser data theft as a primary goal. With new stealers regularly being developed and released, it seems plausible that more of them will target browser data as part of their design.

For more information on stealers, check out Principal Malware Analyst Tony Lambert’s webinar from earlier this year: Grand Theft Creds.

Stealer mitigation and detection is similar to detecting other types of malware on an endpoint. Fortunately there are a number of opportunities to detect stealers during their delivery, installation, execution, or data theft stages. For example, LummaC2 reaches out to remote resources via encoded PowerShell commands relatively early in its execution, and that gives us a detection opportunity.

 


Detection opportunity: A shortened -EncodedCommand flag in PowerShell commands

The following pseudo detection analytic identifies powershell.exe commands that include a shortened version of the -EncodedCommand flag. Stealers like LummaC2 can use PowerShell’s ability to recognize shortened flags to obfuscate malicious encoded commands. Note that legitimate processes such as Chocolatey may use shortened -EncodedCommand flags.

 

process == powershell.exe

&&

Deobfuscated_command_line_includes == (-e , -ec , -en, -enc, -enco, -encod, -encode, -encoded, -encodedc, -encodedco, -encodedcom, -encodedcomm, -encodedcomma, -encodedcomman)

 


 

 

 

Intelligence Insights: October 2024

 

Intelligence Insights: September 2024

 

Recent dllFake activity shares code with SecondEye

 

Intelligence Insights: July 2024

Subscribe to our blog

 
 
Back to Top