Search results

Virtual private networks (VPN) allow adversaries to conceal the origin of their IP space, often in an attempt to make it appear as if they are logging into an account from an expected location. This allows them to circumvent network and identity-based controls that would otherwise block login attempts from unusual internet service or hosting […]

Cloud technology continues to grow. Over the last few years, most companies have moved their infrastructure and business operations to the cloud: either partially or entirely. In 2024 we have seen those numbers continue to grow. Gartner forecasts that IT spending on public cloud services will exceed $1 trillion in 2027. Gartner also claims that […]

n most years, macOS threats vary from their Windows counterparts for a variety of reasons, ranging from differences in operating system architecture, software support, relative market share, and more. In 2024, macOS experienced the same phenomenon that Windows did: An exponential increase in stealer malware. Stealers on macOS targeted cryptocurrency data, files on disk, and […]

Insider threats comprise a broad array of suspicious and malicious activity carried out by employees or people otherwise affiliated with an organization. In this section, we’re going to focus on one particular variety of insider threat that rose to prominence following a Mandiant report published in September 2024.    The report detailed an initiative purportedly […]

The field guide to color bird threats   A definitive guide to “color birds,” what we call fledgling activity clusters we’ve named after tracking patterns of malicious behavior    You may have noticed some unusual names in Red Canary’s reporting; when our Intelligence team encounters a cluster of activity that does not match any known threats […]

LummaC2, also known as LummaC or Lumma Stealer, is a malware-as-a-service (MaaS) stealer that has been available for purchase on underground forums since at least mid-2022. Subscriptions start at $250 USD per month, all the way up to a one-time payment of $20,000 USD to gain access to Lumma source code. Adversaries favor the MaaS […]

A legitimate remote access tool that has been in use for over 30 years, NetSupport Manager is one of the many remote monitoring and management (RMM) tools misused by adversaries. NetSupport Manager is so commonly misused that it’s frequently referred to by security researchers as a malicious remote access trojan (RAT) instead of a benign […]

Amber Albatross is a Red Canary-named activity cluster that we have been tracking since January 2024. The activity encompasses download and installation activities that consistently lead to a Pyarmor-obfuscated PyInstaller executable with stealer-like capabilities. We have consistently observed Amber Albatross installers as a payload delivered by potentially unwanted programs (PUP), including Bit Guardian’s Bit Driver […]

Scarlet Goldfinch is Red Canary’s name for a fake browser update activity cluster, similar to SocGholish, that first emerged in June 2023. One of several emerging threats in mid-2023 that followed SocGholish’s fake update footsteps, Scarlet Goldfinch is tracked by other researchers under several different names, including SmartApeSG (due to early observations of C2 infrastructure […]

HijackLoader, also known as IDAT Loader, GHOSTPULSE, or SHADOWLADDER, is a malware loader that delivers additional payloads through process injection. In use since at least July 2023, multiple adversary groups leverage HijackLoader to deliver a wide array of payloads, including stealers and RATs. The rise of paste-and-run campaigns in 2024 propelled HijackLoader up the ranks […]

Why do adversaries hijack cloud services?   Adversaries may compromise software-as-a-service (SaaS) applications to perform various malicious activities at scale against victims. This may take the form of mass spam campaigns or large-scale phishing operations by leveraging services such as AWS Simple Notification Service (SNS) or Twilio to send text messages or emails.    With […]

Why do adversaries abuse email hiding rules? When an adversary compromises an email inbox and uses it to send or intercept emails, they often cover their tracks by moving, hiding, or otherwise deleting suspicious email messages, thereby concealing them from their victim. Rather than manually deleting sent emails, which runs the risk of neglecting to […]

Red Canary started tracking a cluster of worm-like activity in September 2021 that we called Raspberry Robin. We shared our observations on this cluster in a blog published in May 2022. Following our post, other security researchers shared their observations and research findings, expanding the community’s understanding of Raspberry Robin. Since our initial blog publication, Raspberry Robin […]

Why do adversaries dump credentials? Rooted in the common need for adversaries to infiltrate user accounts and other resources within target organizations, the OS Credential Dumping technique encompasses various methods employed by adversaries and professional penetration testers to acquire valid usernames and passwords. While there are alternative methods of access that do not necessitate legitimate […]

At its core, Impacket is a collection of Python classes that plug into applications like vulnerability scanners, allowing them to work with Windows network protocols. These Python classes are used in multiple tools to facilitate command execution over Server Message Block (SMB) and Windows Management Instrumentation (WMI). Oftentimes the popular Python scripts smbexec, wmiexec, or dcomexec are used directly without having been downloaded […]

Yellow Cockatoo is an activity cluster involving search engine poisoning to trick users into installing a .NET RAT with infostealer capabilities. First reported by Red Canary in 2020, Yellow Cockatoo has also garnered attention from other researchers, who track it under other names such as Jupyter and Solarmarker. After bursting onto the scene in 2020 […]

Gamarue, sometimes referred to as Andromeda or Wauchos, is a malware family used as part of a botnet. The variant of Gamarue that we observed most frequently in 2022 was a worm that spread primarily via infected USB drives. Gamarue has been used to spread other malware, steal information, and perform other activities such as […]

Analysis Mimikatz is an open source credential-dumping utility that was initially developed in 2007 by Benjamin Delpy to abuse various Windows authentication components. While the initial v0.1 release was oriented towards abusing already well established “pass the hash” attacks, after expanding its library of abuse primitives, the tool was publicly released as Mimikatz v1.0 in […]

SocGholish is a malware family that leverages drive-by-downloads masquerading as software updates for initial access. Active since at least April 2018, SocGholish has been linked to the suspected Russian cybercrime group Evil Corp. As in past years, Red Canary observed SocGholish impacting a wide variety of industry verticals in 2024. Continuing trends observed in 2022 […]

Also known as “Qakbot,” the Qbot banking trojan has been active since at least 2007. Initially focused on stealing user data and banking credentials, Qbot’s functionality has expanded to incorporate features such as reconnaissance, follow-on payload delivery, command and control (C2) infrastructure, and anti-analysis capabilities. Qbot is typically delivered via an email-based distribution model. Over […]

Threats attributed to testing represented approximately 24 percent of malicious and suspicious classified threats that our team detected in 2023, nearly 6,000 in all. These threats include purple or red team activity, adversary emulation tools and platforms, and more. In this section, we’ll look closer at the types of organizations performing these tests, along with […]

A working username and password (or an access token of some kind) have long been an adversary’s best option for accessing accounts and systems. This is precisely why phishing has ranked among the most problematic adversary techniques for decades—and also why stealers are among the most prevalent categories of malware targeting businesses. The popularity of […]

Adversaries are looking for opportunities to log in rather than hack in, realizing that a good username and password combination can provide access to a company’s local systems and cloud applications, all while blending into the environment. Adversaries use stealer malware to opportunistically gather identity information and other data at scale. Stealers can extract information […]

Software vulnerabilities continually rank among the top vectors leveraged by adversaries for initial access in particular, but Red Canary has observed the use of exploits throughout the attack lifecycle.   An appreciation for where and how adversaries exploit vulnerabilities is critical not only for detection and response, but to impress upon organizations the need to […]

Adversaries rename system utilities to circumvent security controls and bypass detection logic that’s dependent on process names and process paths. Renaming system utilities allows an adversary to take advantage of tools that already exist on the target system and prevents them from having to deploy as many additional payloads after initially gaining access. Renaming a […]

Why do adversaries use Ingress Tool Transfer? Note: Ingress Tool Transfer has no sub-techniques. Administrative tooling and other native operating system binaries offer adversaries a rich array of functionalities that are ripe for abuse. While an adversary can accomplish many of their objectives by living off the land, they often require non-native tooling to perform […]

Why do adversaries use Rundll32? Like other prevalent ATT&CK techniques, Rundll32 is a native Windows process and a functionally necessary component of the Windows operating system that can’t be blocked or disabled without breaking things. Adversaries typically abuse Rundll32 because it makes it hard to differentiate malicious activity from normal operations. More often than not, […]

Why do adversaries obfuscate files and information? Note: T1027 comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Adversaries employ obfuscation to evade simple, signature-based detection analytics and to impede analysis. Since software and IT […]

Why do adversaries use WMI? Like many of the threats highlighted in this report, WMI is a native Windows feature that can be used on local or remote systems. Administrators regularly use WMI to: configure systems execute processes or scripts automate tasks What makes WMI useful to administrators also makes it attractive to adversaries. Note […]

PowerShell is a versatile and flexible automation and configuration management framework built on top of the .NET Common Language Runtime (CLR), which expands its capabilities beyond other common command-line and scripting languages. PowerShell is included by default in modern versions of Windows, where it’s widely and routinely used by system administrators to automate tasks, perform […]

Windows Command Shell is the native command-line interpreter (CLI) across every version of the Windows operating system. As utilitarian as it is ubiquitous, Windows Command Shell is one of the primary ways that adversaries interact with compromised systems. Unlike its more sophisticated and capable cousin, PowerShell, Windows Command Shell’s native feature set—i.e., commands that may […]

In 2024, adversaries used a wide range of methods to access and mislead unsuspecting victims. Users had to contend with malicious links and phishes presented in a multitude of ways, including via email, search engines, Microsoft Teams messages, and phone calls. “Paste and run,” a technique used to fool users into running malicious code, grew […]

Ransomware continues to surge year over year, and payout demands are only getting higher.  Ransomware is holding strong as a lucrative business model for criminals. Despite early wins from law enforcement actions, this past year saw increasingly sophisticated and agile operations, with adversaries asking for higher payouts.    As with last year, Red Canary’s visibility […]

What is a container? Containers are short-lived processes designed to run an application. They are typically isolated from the underlying host via mechanisms such as namespaces, cgroups, and capabilities. In combination, these mechanisms ensure containers are isolated, resource-controlled, and maintain a level of security. For example, capabilities in Linux are employed to granularly assign privileges […]

Business email compromise (BEC) and email account compromise (EAC) attacks remained prevalent in 2024. Adversaries use compromised credentials or identities to access email accounts, leveraging their legitimacy to bypass automated security controls and to trick otherwise phish-aware users who apply more scrutiny to external or unfamiliar email addresses. Adversaries will also use email forwarding rules […]

Why do adversaries abuse kernel modules and extensions? When an adversary gains access and execution on a system, they are often hamstrung by the reality that their execution exists in memory only. Thus, if the machine restarts, the program they had running on the machine goes away. Kernel Modules and Extensions allow adversaries to establish […]

Note: Installer Packages is a broadly scoped sub-technique, and so we decided to focus our analysis on emerging tradecraft related to MSIX What is MSIX? MSIX is a packaging format for Windows that eases the packaging, installation, and update process for applications. It is intended to improve upon the limitations of the MSI format. MSIX […]

Analysis Note: Reflective Code Loading is a broad, cross-platform technique, and we’ve chosen to focus our analysis specifically on this technique in the context of macOS. Why do adversaries abuse reflective code loading? The macOS file system is carefully scrutinized by endpoint detection and response (EDR) tools, commercial antivirus (AV) products, and Apple’s baked-in XProtect […]

Why do adversaries abuse AppleScript? Gaining execution on macOS can be noisy. When binaries are dropped to disk, there is ample opportunity for defenders to respond, be it via traditional static-based detection or more modern process-centric behaviors. It’s for this reason that adversaries tend towards a “Living off the Orchard” (LOOBin) approach, which assumes the […]

Cloud account compromises are increasing in prevalence as organizations embrace software-as-a-service (SaaS) for critical productivity applications like email, file storage, and messaging, resulting in a substantial volume of data now being stored in the cloud. This shift is mirrored by adversaries too, who are finding just as much value in compromising cloud identities as they […]

ChromeLoader is a browser hijacker capable of redirecting searches for popular search engines such as Google, Bing and Yahoo, sending search data to its C2, and adding and preventing users from uninstalling a malicious browser extension. Our evolving understanding of an evolving threat We began 2023 with a narrower view of ChromeLoader than most other […]

Is an organization’s industry an important factor in determining the types of threats they face, the techniques that adversaries use against them, or the general level of risk they’re exposed to? We looked at our detection data set to answer this question and shed light on the relative risks—or the different kinds of risk—faced by […]

In 2023 we all witnessed a new era in the use of generative AI (GenAI) to aid in solving or automating many of the rote tasks we take on as defenders. Technologies like ChatGPT, Bard, and GitHub Copilot showed how GenAI—backed by powerful foundational models like GPT-4—can reduce the cognitive load and stresses that come […]

SmashJacker is a browser search engine hijacker first documented by ConnectWise in June 2023. Distributed through sites advertising “the download of wallpapers, software, games, and movies,” often via a pay-per-installer that Red Canary tracks as Charcoal Stork, SmashJacker installs a browser extension designed to redirect search engine queries and serve additional advertisements that provide income […]

The birth of Charcoal Stork Charcoal Stork is a suspected pay-per-install (PPI) provider that first drew our attention in 2022 when it began delivering ChromeLoader. In the months since, we have observed this initial access threat deliver multiple payloads, including SmashJacker and VileRAT, and research from other vendors suggests several other payloads have been observed […]

Adversaries have abused RMM tools for years, and they continued to do so in 2023. RMM tools are an attractive option for adversaries because they offer robust sets of remote administration features and they do so with the veneer of legitimacy. Many organizations use one or another of these tools to apply updates, manage assets, […]

As businesses across the world have moved to cloud services and built infrastructure on top of cloud providers, adversaries have followed them. Moving to the cloud has huge benefits, such as scalability, security, and developer-friendly application programming interfaces (API). It has also brought new tools in the form of identity and access management (IAM) services, […]

Adversaries abuse MFA requests to log into valuable systems that are protected by second factors of authentication. To the surprise of many, some MFA implementations are susceptible to relatively unsophisticated social engineering attacks that could allow an adversary to impersonate victims and bypass security controls. Highly privileged identities are particularly juicy targets for adversaries seeking […]

Windows Admin Shares are enabled by default to allow administrators and software to remotely manage hosts on an internal network using the SMB protocol. These shares give adversaries the ability to stage payloads for execution, move laterally throughout a network, and elevate their privilege level. As is often the case with legitimate operating system utilities, […]

Windows uses the Mark-of-the-Web (MotW) to indicate that a file originated from the Internet, which gives Microsoft Defender SmartScreen an opportunity to perform additional inspection of the content. MotW also supplies the basis for prompting a user with an additional prompt when high-risk extensions are opened. MotW is applied to a file by appending a […]

Once an adversary gains access to a machine, they need to make sure they have enough permissions to persist, evade defensive controls, steal credentials, and more. Adversaries abuse setuid and setgid bits to elevate their privilege levels on macOS and Linux, potentially accessing both cloud-hosted and physical on-premise machines. With elevated privileges, adversaries can modify […]

Adversaries attempt to bypass Apple’s Gatekeeper security checks in order to gain execution on a host. Since Gatekeeper’s introduction, the security control has hampered adversaries’ ability to execute untrusted code (i.e., code that does not conform to the system’s security policy). Adversaries may also circumvent the older File Quarantine feature and some of the high-level […]

The registry being a generic database used by Windows for myriad purposes means that an adversary can use it for myriad purposes too. However, modification of the registry is a means to an end for executing other techniques. The following, non-exhaustive list comprises the various techniques that registry modification facilitates: Boot or Logon Autostart Execution […]

Adversaries commonly abuse the Local Security Authority Subsystem Service (LSASS) to dump credentials for privilege escalation, data theft, and lateral movement. The process is a fruitful target for adversaries because of the sheer amount of sensitive information it stores in memory. Upon starting up, LSASS contains valuable authentication data such as: encrypted passwords NT hashes […]

Why do adversaries abuse Service Execution? All production operating systems have one thing in common: a mechanism to run a program or service continuously. On Windows, such a program is referred to as a “service,” and in the Unix/Linux world, such a program is often referred to as a “daemon.” Regardless of what operating system […]

Why do adversaries use Process Injection? Note: Process Injection comprises multiple sub-techniques, but we largely map our detection analytics to the parent. As such, this section focuses generally on the overall technique and not on any individual sub-techniques. Process Injection is a versatile technique that adversaries leverage to perform a wide range of malicious activity. […]

PlugX is a malware family observed in intrusions attributed to multiple operators at least as far back as 2008. Although researchers largely attribute compromises involving PlugX to espionage operators with ties to Chinese interests, notably Mustang Panda (which overlaps with the TA416 and RedDelta), there is speculation that PlugX source code has been circulated online […]

Gootloader is a JScript-based malware family that typically leverages SEO poisoning and compromised websites to lure victims into downloading a ZIP archive that poses as a document that the user has searched for. While we observed Gootloader detections in customer environments across multiple sectors in 2022, they almost always happened after victims accessed compromised websites […]

Emotet is an advanced, modular trojan that primarily functions as a downloader or dropper of other malware. It’s disseminated through malicious email links or attachments that use branding familiar to the recipient. Emotet focuses on stealing user data and banking credentials, and opportunistically deploys itself to victims. Emotet is polymorphic, meaning it often evades typical […]

BloodHound is an open source tool that can be used to identify attack paths and relationships in an Active Directory (AD) environment. BloodHound made it into our top 10 threat rankings thanks to both testing activity and adversary use. It is popular among adversaries and testers because having information about an AD environment can enable […]

Cobalt Strike continues to be a favorite post-exploitation tool for adversaries. At #8, it is the only post-exploitation framework to make the top 10. Ransomware operators in particular rely substantially on Cobalt Strike’s core functionalities as they seek to deepen their foothold in their victims’ environments. Its speed, flexibility, and advanced features are likely contributing […]

Spearphishing, Business Email Compromise (BEC), and Email Account Compromise (EAC) attacks continue to silently menace businesses across the globe, steadily outpacing damages inflicted by other attacks such as ransomware. Adversaries traditionally rely on social engineering schemes that allow them to trick unsuspecting users into facilitating payment fraud, disclosing sensitive information, or installing malware. Social engineering […]

Commercial and open source post-exploitation frameworks save red teamers time on custom development and allow them to quickly change TTPs in their engagements. Not surprisingly, adversaries also find them attractive due to their ease of use and flexibility. Adversaries have long used open source and leaked versions of commercial frameworks, most notably Metasploit and Cobalt […]

Why do adversaries use Mshta? mshta.exe is a Windows-native binary designed to execute Microsoft HTML Application (HTA) script code. As its full name implies, Mshta can execute Windows Script Host code (VBScript and JScript) embedded within HTML in a network proxy-aware fashion. These capabilities make Mshta an appealing vehicle for adversaries to proxy execution of […]