Over the past few months, Scarlet Goldfinch has demanded our attention as we’ve observed it increasingly luring victims into its nest with a siren song of artifice. This cunning threat first appeared on our radar last summer, demonstrating a sophisticated method of deception that has left many unsuspecting users vulnerable.
In the video below, Senior Manager of Intelligence Alex Berninger delves into the intricate workings of the Red Canary-named activity cluster, explores the implications of its use of remote monitoring and management (RMM) tools, and offers insights into how defenders can protect their organizations from this insidious threat.
What is it?
Scarlet Goldfinch is a cluster of activity that Red Canary first observed in June 2023. This threat deceives users into downloading a file masquerading as a browser update, which starts a chain of activity eventually leading to the installation of NetSupport Manager. NetSupport Manager is an RMM tool that provides the adversary remote control over a system.
How does it work?
For initial access, Scarlet Goldfinch tricks users into visiting a compromised website with a lure indicating that a browser update is needed. The lure tricks the users into downloading a .zip file, which—in line with this browser update ruse—has names like updateinstaller.zip
or updateinstall.zip
. The zip contains the first-stage JScript (Microsoft’s variant of JavaScript) malware, that is executed via wscript.exe
.
This initial payload may download and write additional stages, and we have observed a change of tactics for the second stage. From June to September 2023, Scarlet Goldfinch’s second stage was uniquely implemented as batch files and VBS scripts that issued commands to the command and control infrastructure to download and install NetSupport Manager.
However, starting around October 2023, the first-stage JScript file began spawning an obfuscated PowerShell command rather than the batch script. The PowerShell command makes a network connection to the command and control infrastructure to retrieve additional components to download and install the NetSupport Manager. Scarlet Goldfinch establishes persistence for the NetSupport payload using Windows Registry Run keys and scheduled tasks.
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OFFICE
HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DIVXX
How is it different from SocGholish?
At first, Scarlet Goldfinch looked a lot like SocGholish, also known as FakeUpdates. But we quickly started to notice key differences that led our team to track Scarlet Goldfinch as a distinct activity from SocGholish. Although they both begin with JavaScript files distributed under the facade of a web browser update, the actions taken after this initial intrusion ruse differ significantly.
While historically NetSupport Manager has been a common payload of choice for SocGholish, the group began showing a preference for other remote access tools back in 2022, and this trend continued into the present.
Why does it matter?
Scarlet Goldfinch and SocGholish are not the only two activity clusters that use the browser update ruse, so this is an initial access vector to keep an eye on. Adversary use of RMM tools is concerning because these tools can often operate with the veneer of legitimacy, and Scarlett Goldfinch’s use of NetSupport Manager fits this trend. RMM tools offer a large set of remote administration features, and many organizations use them for legitimate purposes within their organization such as applying updates, managing assets, and deploying software. So, as you might imagine, these tools can help an adversary blend into the environment and help evade detection.
What can defenders do about it?
To defend against this threat, strict inventory management is crucial. It’s important to know which RMM tools are allowed in your network while also staying vigilant and aware of any deviations from that. If you’re unsure if an RMM tool is being used maliciously, consider what is normal for these applications. Adversaries will often change the file name, download and run it from a nonstandard directory, or it may make suspicious network connections.
Because this lure can be particularly tricky and convincing, user training alone may not be completely effective, and therefore mitigation or remediation measures should be implemented. For example, changing the default program that opens and executes JavaScript files to something other than wscript
(e.g., Notepad) is a helpful control that stops this activity from executing automatically.