Highlights from December
Paste and run remains an extremely popular initial access technique—if we tracked paste and run as a threat instead of a technique, it would be number 1 on our top 10 most prevalent threat list for the third month running. In December we observed multiple adversaries using it to deliver several different payloads including Vidar, LummaC2, and NetSupport Manager. Most of the activity we saw from LummaC2 and Vidar occurred prior to payload execution, what we consider precursor activity. Had the payloads not been detected and remediated, then LummaC2 would have toppled ChromeLoader from 1st place and Vidar would be in the top 10 for the month.
That said, ChromeLoader did maintain first place, making this its 7th consecutive month in the top spot. Following a trend we noted last month, the overall volume of ChromeLoader we observe continues to decline. In 2nd we have Amber Albatross, which made a big jump from tying for 6th place in November.
DarkGate returned to the list for the first time since October 2023. In December, DarkGate emerged as a follow-on payload for adversaries leveraging remote monitoring and management (RMM) tools like AnyDesk, TeamViewer, and ConnectWise following successful social engineering tactics used to gain initial access. This kind of activity was also observed outside of Red Canary.
Making its debut is Tangerine Turkey, sharing in a tie for 8th. Tangerine Turkey is Red Canary’s name for a VBS worm delivering a cryptomining payload that we started observing in November 2024. You can read more about Tangerine Turkey below and in this blog.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for December 2024:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ➡ 1 | Threat name: | Threat description : Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Red Canary's name for a cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Month's rank: ⬆ 2* | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 5 | Threat name: | Threat description : Penetration testing framework used to probe systematic vulnerabilities on networks and servers to conduct post-exploitation activity on compromised hosts |
| Month's rank: ➡ 6* | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Month's rank: ➡ 6* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Loader offered as malware-as-a-service delivered via phishing campaigns by multiple adversaries |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Month's rank: ⬇ 8* | Threat name: | Threat description : Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging |
| Month's rank: ⬆ 8* | Threat name: | Threat description : Red Canary's name for a VBS worm that is delivered via an infected USB and uses a printui DLL hijack to deliver a cryptomining payload |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Meet Tangerine Turkey
Tangerine Turkey is a newcomer to our top 10 list. We first observed it and started tracking it in November 2024, with enough activity in December for it to make the list and this month’s Intelligence Insights. Tangerine Turkey is Red Canary’s name for a visual basic script (VBS) worm that delivers a cryptomining payload.
Here is a quick rundown of some of Tangerine Turkey’s behaviors after it starts executing on a system:
- A VBS file executed from a folder named
rootdiron a USB; the filename begins with anxfollowed by six random digits, for example:WScript.exe"D:\rootdir\x644291.vbs" - A BAT file with similar naming convention to the VBS file, executed via a CMD child process from
wscript, for example:cmd.exe /c"D:\rootdir\x138621.bat" - Creation of a folder named
C:\Windows \System32(note the trailing space after\Windows \) - Use of
xcopyto move a copy of the legitimateprintui.exebinary from the legitimateC:\Windows\System32to the newly created maliciousC:\Windows \System32 directory - DAT and printui.dll files created in
C:\Windows \System32to be used for DLL side-loading
That is as far in the execution chain as we have directly observed, but see our blog for more details on this activity cluster and its TTPs.
We were first alerted to Tangerine Turkey’s activity due to their use of printui.exe in a suspicious location, which gives us a detection opportunity.
Detection opportunity: printui.exe relocated to a suspicious location
This pseudo detection analytic identifies instances of printui.exe relocated outside of Windows\System32. Relocation of this binary outside of System32 will be highly unusual, although third-party system administrative binaries may occasionally utilize a relocated and/or renamed version of the binary. Vulnerable DLLs like printui.dll can be abused by threats like Tangerine Turkey for DLL search order hijacking and side-loading. Here at Red Canary we have profiled System32 binaries, collected and stored their expected metadata, and used the information to build detection analytics. We published a blog sharing how you can do the same.
process_path_is_unexpected == (printui)
* See this blog for more details on how to create these types of detection analytics
Related Articles
Storm-1811 exploits RMM tools to drop Black Basta ransomware