Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: September 2022

SocGholish returns to the top 5 and malicious ISOs take hold as an increasingly popular delivery method

The Red Canary Team
Originally published . Last modified .

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.

Highlights

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. Starting this month, we’re slicing our trending threat data in a new way!

Without fully understanding an adversary’s intentions, it can be difficult to distinguish the devilish deeds from the deliberate drills—the devil is in the details. Many of our customers let us know when Red Canary detects threats that are sanctioned testing. Going forward, we will use that customer acknowledgement to filter out threats related to customer-confirmed testing from our top 10 rankings. This change helps boost our signal-to-noise ratio, increasing the visibility of potential true positive malicious activity and decreasing the influence of known-good testing on the rankings. We’ll still comment on threats that would have made the top 10 had we included testing activity, but the monthly and year-to-date rankings will no longer include this information.

Here’s how the newly organized numbers shook out for August 2022:

August rankThreat nameThreat description
August rank:

➡ 1

Threat name:

Adsearch

Threat description :

Persistent executable payload surreptitiously installed via ISO files delivered by malvertising links, similar to ChromeLoader

August rank:

2

Threat name:Threat description :

Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL

August rank:

3*

Threat name:Threat description :

Dropper/downloader, often distributed through search engine redirects

August rank:

3*

Threat name:Threat description :

Open source tool used to identify attack paths and relationships in Active Directory

August rank:

5*

Threat name:Threat description :

Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code

August rank:

5*

Threat name:Threat description :

Collection of Python classes to construct/manipulate network protocols

August rank:

7

Threat name:Threat description :

Malware family associated with ad fraud activity through the distribution of adware applications

August rank:

8*

Threat name:Threat description :

Open source tool that dumps credentials using various techniques

August rank:

8*

Threat name:Threat description :

Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language

August rank:

10*

Threat name:Threat description :

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives

August rank:

10*

Threat name:

Vidar

Threat description :

Information stealer forked from the Arkei malware family. In use by multiple adversaries with a variety of delivery mechanisms

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

AdSearch, last month’s newcomer to our top 10 trending threat rankings, remained in the number 1 spot. Gootloader activity increased, jumping from 10th in July to tie for 3rd in August. SocGholish, after several months of reduced activity, shot back up to 5th place for the highest ranking it’s had since April 2022. Emotet and Yellow Cockatoo both fell out of the top 10 after previously sharing 5th place. Vidar, an information stealer, makes its first appearance in the top 10 this year.

CrackMapExec would have made the list in a tie for 10th place, but we removed it from the top 10 due to customer-confirmed testing activity. A post-exploitation tool commonly used for credential access, enumeration, and lateral movement, CrackMapExec leverages Impacket and PowerSploit.

Operators increasingly adopt ISO files for malware delivery

Over the past few months, Red Canary and other security researchers have observed adversaries increasingly embedding malware in disk images like ISO files. Disk images allow operators to hide documents weaponized with malicious macros and circumvent protections associated with Microsoft’s decision to block VBA macros from the internet by default. In many cases, victim systems are configured to automatically mount and run ISO files. Operators have used ISOs to deliver several malware families, including Bumblebee, Emotet, and Qbot.

Most recently, Red Canary observed this tradecraft in campaigns delivering IcedID, a known ransomware precursor. In August 2022, we saw an IcedID infection result from the delivery of an ISO file inside a ZIP archive that masqueraded as someone’s curriculum vitae. The ISO file contained a Windows shortcut (LNK) file and a DLL. When opened, the LNK file executed the DLL, initiating the IcedID infection chain.

Preventing these files from executing can be an effective way to avert damaging intrusions. If your users do not have a business need to mount container files, we recommend taking these steps to prevent Windows from auto mounting container files.

While IcedID operators have shifted TTPs over time, detection analytics designed to look for behaviors associated with IcedID continue to identify potential IcedID activity.


Detection opportunity: regsvr32.exe registering a file without a DLL extension

The following pseudo-detection analytic identifies attempts by regsvr32.exe to register a file that does not have a DLL extension. While this technique shows up with a number of suspicious and malicious binaries, it can be legitimately used for certain codecs or Internet Explorer controls. Check to see if the command line and/or the file in question are unique in your environment.

process == regsvr32.exe

&&

command_line_does_not_include == (.dll, *)

Note: * is a placeholder for file extensions or strings associated with legitimate regsvr32 use in your specific environment

 


 

Stealers evolve to bypass Google Chrome’s new app-bound encryption

 

Intelligence Insights: October 2024

 

Intelligence Insights: September 2024

 

Recent dllFake activity shares code with SecondEye

Subscribe to our blog

 
 
Back to Top