Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: December 2023

SocGholish, XMRig, and Cobalt Strike make their way up the chimney in this month’s edition of Intelligence Insights

The Red Canary Team
Originally published . Last modified .

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.

Highlights

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. 

Here’s how the numbers shook out for November 2023:

Last month's rankThreat nameThreat description
Last month's rank:

1

Threat name:Threat description:

Collection of Python classes to construct/manipulate network protocols

Last month's rank:

➡ 2

Threat name:Threat description:

Open source tool that dumps credentials using various techniques

Last month's rank:

3

Threat name:Threat description:

Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code

Last month's rank:

4

Threat name:Threat description:

Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects

Last month's rank:

5*

Threat name:Threat description:

Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language

Last month's rank:

5*

Threat name:Threat description:

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives

Last month's rank:

5*

Threat name:

LummaC2

Threat description:

Information stealer sold on underground forums and used by a variety of adversaries; may also be used as a loader for additional payloads

Last month's rank:

5*

Threat name:

NetSupport Manager

Threat description:

Legitimate remote access tool (RAT) that can be used as a trojan by adversaries to remotely control victim endpoints for unauthorized access

Last month's rank:

9*

Threat name:Threat description:

Open source tool used to identify attack paths and relationships in Active Directory

Last month's rank:

9*

Threat name:

Charcoal Stork

Threat description:

Suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper

Last month's rank:

9*

Threat name:Threat description:

Penetration testing framework used to probe systematic vulnerabilities on networks and servers and conduct post-exploitation activity on compromised hosts

Last month's rank:

9*

Threat name:Threat description:

Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files

Last month's rank:

9*

Threat name:

RedLine

Threat description:

Information stealer sold on underground forums and used by a variety of adversaries

Last month's rank:

9*

Threat name:Threat description:

Activity cluster that uses a distribution scheme similar to SocGholish and uses JScript files to drop NetSupport Manager onto victim systems

Last month's rank:

9*

Threat name:

XMRig

Threat description:

Monero cryptocurrency miner that is often deployed as a secondary payload

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

Our top 10 threats this month ended up being a top 16, with an atypical 7-way tie for 9th place. SocGholish was more active this month, moving up to 3rd after placing just off the list at no. 11 last month. This is the highest SocGholish has been in the top 10 since April 2023. Cobalt Strike also saw an increase in activity that landed it in a 4-way tie for the 5th spot. Major U.S. holidays are often an active time for adversaries, and we saw a jump in both attempted Cobalt Strike use and BloodHound use during the week of Thanksgiving this year.

The reindeer games are XMRigged

One of our 9th place ties is XMRig, a Monero cryptocurrency miner, making its first appearance in our top 10. We typically see a few instances of XMRig every month, and saw enough in November for it to squeak into the top 10 list. XMRig by itself is a fairly benign open source miner available on GitHub. While, like all cryptominers, it uses system resources for its mining activity, it does not contain any additional malicious code.

Sometimes deploying XMRig is the adversary’s primary goal, but frequently XMRig is deployed as a secondary payload in an attempt to monetize threat actors’ access to victim systems. In November 2023 alone, researchers reported campaigns deploying XMRig alongside other malware families like Rhadamanthys and Cobalt Strike.

Here at Red Canary we saw XMRig delivered multiple ways last month. One example was very similar to activity reported by the DFIR Report in 2022. We assess the adversary likely brute forced access to a public-facing MySQL server then uploaded malicious DLLs and a custom loadable function to execute the DLLs. The adversary wrote a number of additional files to disk, including a renamed instance of cscript.exe, the XMRig binary, and additional scripts used to install and execute XMRig. They also created a scheduled task for persistence.

Detecting XMRig depends on how it is delivered. In the above example we saw at Red Canary, unusual cscript.exe activity gives us a detection opportunity.

 


Detection opportunity: Windows Script Host wscript.exe or cscript.exe making network connections to a suspicious top-level domain (TLD)

The following pseudo-detection analytic identifies wscript.exe or cscript.exe making network connections to a suspicious top-level domain (TLD). Malicious scripts, like those used in the example above to install XMRig, may connect to infrastructure hosted on unusual TLDs. This is atypical behavior, although custom admin scripts may reach out to personal domains. The analytic below leverages a custom-made suspicious domain list, based on observations and research on abused TLDs shared by teams like Unit 42.

process == (wscript, cscript)

&&

has_netconn

&&

command_includes (domain strings matching *suspicious_tlds)

Note: You can create a list of suspicious TLDs to reference in *suspicious_tlds based on in-house observations and industry research. The Red Canary list includes: .date, .cf, .ga, .casa, .cyou, among others.

 

 

Storm-1811 exploits RMM tools to drop Black Basta ransomware

 

Intelligence Insights: November 2024

 

Stealers evolve to bypass Google Chrome’s new app-bound encryption

 

Intelligence Insights: October 2024

Subscribe to our blog

 
 
Back to Top