Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Intelligence Insights: October 2023

Charcoal Stork sticks around and DarkGate crashes in, in this month’s edition of Intelligence Insights

The Red Canary Team
Originally published . Last modified .

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.

Highlights

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months. 

Here’s how the numbers shook out for September 2023:

Last month's rankThreat nameThreat description
Last month's rank:

➡ 1

Threat name:

Charcoal Stork

Threat description:

Suspected pay-per-install (PPI) provider that uses malvertising to deliver installers, often disguised as cracked games, fonts, or desktop wallpaper

Last month's rank:

➡ 2

Threat name:Threat description:

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives

Last month's rank:

3

Threat name:Threat description:

Malware that modifies victims’ browser settings and redirects user traffic to advertisement websites

Last month's rank:

4*

Threat name:Threat description:

Collection of Python classes to construct/manipulate network protocols

Last month's rank:

4*

Threat name:Threat description:

Activity cluster using a worm spread by external drives that leverages Windows Installer to download malicious files

Last month's rank:

6

Threat name:

DarkGate

Threat description:

Loader offered as malware-as-a-service delivered via phishing campaigns by multiple adversaries

Last month's rank:

7

Threat name:Threat description:

Open source tool that dumps credentials using various techniques

Last month's rank:

8

Threat name:Threat description:

Activity cluster characterized by the delivery of an information stealer and .NET RAT via search engine redirects

Last month's rank:

9*

Threat name:Threat description:

Open-source tool used to identify attack paths and relationships in Active Directory

Last month's rank:

➡ 9*

Threat name:Threat description:

Penetration testing tool that integrates functionality from multiple offensive security projects and has the ability to extend its functionality with a native scripting language

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

In this month’s top 10, Charcoal Stork and Gamarue retained their respective places at 1 and 2 from last month, followed by several of our usual suspects. Raspberry Robin climbed to 4, the highest it’s been in the rankings since May 2023. Yellow Cockatoo, which reappeared in June 2023 after an almost year-long hiatus, decreased enough in activity to land at 8. BloodHound made it to the top 10 for the first time since April 2023, tied for 9 with Cobalt Strike.

DarkGate crashes the party

We have one newcomer to the top 10 this month. DarkGate, a loader offered on cybercrime forums as Malware-as-a-Service (MaaS) and typically distributed via phishing, makes its first appearance at spot 6. 

DarkGate has been around as a malware family since 2018. Its developers began offering it as MaaS in June 2023, which increased its use exponentially. Red Canary’s first known observation of DarkGate was in late August 2023, with its use increasing over the course of September. In late September, TA577 began distributing DarkGate as one of their phishing payloads – along with IcedID and Pikabot – to replace Qbot post-takedown. This is only one example of the multiple adversaries currently distributing DarkGate as a payload. Red Canary has directly observed multiple distinct delivery methods, further evidence of its use by multiple groups.

DarkGate’s popularity is likely due to a number of built-in features, including defense evasion, command & control (C2), and persistence capabilities. It also has the ability to download and execute additional payloads. DarkGate has reportedly been seen as part of pre-ransomware activity, making it a significantly higher risk if detected in your environment. 

One way we have seen DarkGate delivered is through a .zip archive containing a Visual Basic Script (.vbs) loader. The file is often located in the AppData\Local directory and contains the victim username, like in this example:

C:\Users\username\AppData\Local\Temp\Temp1_username_k77268j.zip\username_k77268j.vbs

This file location, plus the use of wscript.exe or cscript.exe to execute the .vbs file, gives us a detection opportunity.

 


Detection opportunity: wscript.exe or cscript.exe executing .vbs files that originate from a .zip file, from the %APPDATA% directory

The following pseudo-detection analytic identifies wscript.exe or cscript.exe executing .vbs files from the %APPDATA% directory, specifically files that originate from a .zip file. Typically the .vbs file is a dropper that reaches out to external resources to download additional payloads like DarkGate. If the .vbs executes successfully, there will be follow-on file modifications, network connections, and/or child processes.

 

process == (wscript.exe, cscript.exe)

&&

command_includes (appdata, .zip, .vbs)

&&

has filemod OR childproc OR netconn
 

Intelligence Insights: May 2024

 

Intelligence Insights: April 2024

 

Holding down the Fortinet vulnerability

 

Intelligence Insights: March 2024

Subscribe to our blog

 
 
Back to Top