Highlights from November
ChromeLoader remained at number 1 on our top 10 most prevalent threat list for the 6th month running. It’s worth noting that while it’s still our most prevalent threat, its volume has been slowly decreasing over the last several months compared to July 2024 when ChromeLoader began its current run in the top spot.
If we included techniques in this top 10 table, the ongoing popularity of paste and run would have placed it at number 1 this month. It is still proving to be extremely effective, with most of the threats we’ve observed leveraging this technique presenting it as a fake CAPTCHA. It’s hard to discern if that is because more adversaries are using the fake CAPTCHA lure style currently, or if that is the most effective use of paste and run.
We continue to see LummaC2 as the primary paste and run payload of choice. LummaC2 remained in 2nd place in November with the highest volume we’ve seen to date, high enough that it’s likely LummaC2 will place in our top 10 for all of 2024.
Raspberry Robin made a big jump back onto the list, snagging the 4th spot and returning to the top 5 for the first time since April 2024. More specifically, we saw a significant increase in the use of Raspberry Robin-infected USB drives connected to user endpoints this November.
Our newcomer to the list this month is HijackLoader in spot 3, which is directly related to LummaC2. HijackLoader was not the only loader adversaries included in their LummaC2 delivery configurations in November, but it was a popular choice this month. You can read more about HijackLoader below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for November 2024:
Month's rank | Threat name | Threat description |
---|---|---|
Month's rank: ➡ 1 | Threat name: | Threat description : Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites |
Month's rank: ➡ 2 | Threat name: LummaC2 | Threat description : Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
Month's rank: ⬆ 3 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
Month's rank: ⬆ 4* | Threat name: HijackLoader | Threat description : Malware loader that uses DLL sideloading to deliver additional payloads through process injection |
Month's rank: ⬆ 5 | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
Month's rank: ⬇ 6* | Threat name: | Threat description : Red Canary's name for a cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
Month's rank: ⬆ 6* | Threat name: | Threat description : Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language |
Month's rank: ⬇ 6* | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
Month's rank: ⬆ 6* | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
Month's rank: ➡ 6 | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
HijackLoader hijinks
If you’ve been following our last several Intelligence Insights, you’ll know that LummaC2 has been a favorite and frequent payload for adversaries during the latter half of 2024. The malware-as-a-service (MaaS) stealer offers a range of customization options, enabling evildoers to package LummaC2 in a number of different ways. In November we saw an exponential increase in LummaC2 delivered with HijackLoader, leading to its debut on our top 10 list.
HijackLoader is not a new loader. Also known as IDAT Loader, SHADOWLADDER, and GHOSTPULSE, HijackLoader has been in use since at least July 2023. It has been used to deliver threats other than LummaC2, including Carbanak and Vidar. It is also not new to Red Canary; we first saw HijackLoader paired with LummaC2 back in August 2024 and have seen them together consistently since, albeit not in the numbers we observed this November.
HijackLoader is typically delivered as a ZIP archive—sometimes password-protected—containing:
- a legitimate executable vulnerable to DLL sideloading
- a malicious DLL containing the HijackLoader malware
- often additional legitimate DLLs are included as well, making identification of the malicious DLL more difficult
In some cases the legitimate DLLs are signed while the HijackLoader DLL is not, however this is not a foolproof method of identifying which is the malicious DLL.
HijackLoader executes by DLL sideloading the malicious HijackLoader DLL into the legitimate process delivered along with it. DLL sideloading is similar to search order hijacking, but is not exactly the same. Search order hijacking involves adversaries placing a malicious DLL into a legitimate process’s execution chain so their evil DLL runs before the not-evil version. DLL sideloading puts an evil payload and legitimate binary next to each other, as we see in HijackLoader’s ZIP file, and when the legitimate binary executes it runs the evil DLL paired with it.
To oversimplify a whole lot, if the endpoint is an exclusive event:
- Search order hijacking is like jumping the line and pretending you’re someone on the guest list before they’ve arrived.
- Sideloading is like convincing a guest you’re also on the list and letting you walk in with them while saying “I’m totally with them, it’s cool.”
In the case of HijackLoader, the legitimate process frequently keeps its original EXE filename, though in some cases the EXE has been renamed. For example, in November we commonly observed Setup.exe
being used in place of the legitimate EXE’s filename.
Once the HijackLoader DLL is running within the sideloaded process, it spawns a legitimate child process in a suspended state and injects a payload into the memory space of the child process. Injection target processes vary, but legitimate Windows binaries including choice.exe
, cmd.exe
, explorer.exe
, or more.com
have been observed by Red Canary and other researchers. For example, recently we’ve seen HijackLoader inject into more.com
, which has led to download and execution of a renamed AutoIT3 binary, which in turn performed credential access, maintained sustained network connectivity to a C2 server, and would have eventually led to LummaC2 execution.
Here is an example of a recent behavior chain that we’ve observed. For those interested in more information, the malicious URL, malicious ZIP file, and HijackLoader binary referenced below were previously uploaded to VirusTotal by third parties.
HijackLoader attack chain
As mentioned in last month’s Insight, the long execution chain of HijackLoader and LummaC2 gives us a lot of observable behavior. For example, since HijackLoader is fond of renaming executables, that gives us a detection opportunity.
Detection opportunity: Renamed instances of AutoIT
This pseudo detection analytic identifies renamed instances of AutoIT. Adversaries—like those behind HijackLoader—use this tool to execute scripts with goals including C2 communication and additional payload delivery. The renamed binary may be located in a suspicious location like TEMP
, APPDATA
, or with a path that includes seemingly randomly generated names. Here at Red Canary we have profiled System32 binaries, collected and stored their expected metadata, and used the information to build detection analytics, and we published a blog sharing how you can do the same.
process_is_renamed == (autoit
)*
* See the blog for more details on how to create these types of detection analytics
In case you missed it: Storm-1811 exploits RMM tools to drop Black Basta ransomware
Red Canary detected likely Storm-1811 activity in multiple customers in November. Storm-1811 is Microsoft’s name for a financially motivated threat actor that uses social engineering to impersonate help desk employees or other IT admins to gain initial access to environments via remote monitoring and management (RMM) tools—in this case Microsoft Quick Assist—on victim endpoints. Without prompt response, this activity can lead to Black Basta ransomware in your environment.
On December 2 we published a blog sharing more details, including a video from Intelligence Analyst Jeff Felling explaining what we’ve seen.