Relevant threats of 2021

Latent threats

Threats come and go, but some—like USB stowaways and network worms—like to stick around.

Pairs with this song

USB stowaways

In this section we characterize “USB stowaways” as threats that leverage USB thumb drives to find their victims.

Floxif (ranked #75 in 2021)

Floxif, short for “FloodFix,” is a type of file-infecting malware that researchers have observed spreading to some of the farthest reaches of organizations’ networks since 2012. In the detections that we’ve observed, Floxif most commonly arrived on endpoints via USB thumb drive. Floxif self-replicates by identifying processes running in memory that are eligible for infection and replaces them with new, Floxif-compromised binaries. Many variants of Floxif malware rely on writing the accompanying DLL symsrv.dll to a unique location, so detecting this threat can be done with relatively high confidence.

Floxif DLL file modification

This detection analytic identifies file modifications that are consistent with Floxif malware execution.

file_modification_includes ('Common Files\System\symsrv.dll')

Gamarue (ranked #12 in 2021)

Gamarue is a malware family that was first observed by researchers in 2011 and rendered inactive after a joint takedown operation in 2017. While many variants of Gamarue exist, the variant we observed most frequently in 2021 was an Autorun worm that spread primarily via infected USB drives. This is no different from what we saw in 2020, and we expect to continue seeing it for as long as users keep deploying infected USB drives to ferry files from one endpoint to another.

Explorer launching Rundll32 without any DLL in the command line

process == rundll32.exe
parent_process == explorer.exe
command_line_does_not_include ('.dll')

Conficker (ranked #28 in 2021)

Bridging the gap between USB worms and network worms, Conficker is a worm that feverishly spread across the internet in late 2008, leveraging the NetBIOS vulnerability MS08-067. As more sophisticated variants were developed, USB Autorun worming functionality was soon baked into Conficker as well, helping to further spread this worm via sneakernet. Fourteen years later, Red Canary still detects artifacts related to Conficker, most of which are leftover persistence mechanisms from incomplete remediation. While antivirus products may be doing most of the heavy lifting in terms of remediating active instances of Conficker, those errant scheduled tasks may still be out there trying to launch Conficker DLLs of bygone days.

Rundll32 executing with command lines consistent with Conficker

This detection analytic will identify unusual activity originating from the rundll32.exe process. Werfault typically spawns with command-line parameters when a process crashes, providing the program with input to create an error report. If you are having trouble getting this detection opportunity to work in your environment, you may find additional success by focusing only on processes where taskeng.exe or svchost.exe are the parents of Rundll32.

process _name == rundll32.exe
command_line == 'rundll32\.exe [a-z]{5,8}\.[a-z]{1,3},[a-z]{5,8}'

Network worms

In this section we characterize “network worms” as threats that exploit vulnerabilities in software to infect and establish control over an endpoint. Following initial access, adversaries leverage the infected endpoints’ network connections to identify additional assets to infect and repeat the cycle.

WannaCry ransomware (ranked #31 in 2021)

WannaCry, often shortened to “WCry,” is a ransomware variant that spreads as an SMB worm leveraging the ETERNALBLUE vulnerability, MS17-010. WannaCry was first observed in May 2017, indiscriminately spreading across many organizations. Early variations of WannaCry had code built in to discontinue ransomware operations, but later versions of did not include this functionality. Half a decade later, some might laugh that we’re including WannaCry in a report released now, and we must admit that seeing WannaCry so high in our rankings was a bit of a shock for us too, but here we are. Simply put, there’s a reason why the vulnerability WannaCry targets, MS17-010, is known as ETERNALBLUE. Just like MS08-067 is to Conficker, MS17-010 is so reliable that we are likely to continue seeing WannaCry for quite some time. If you are concerned that your endpoints might be afflicted by WannaCry, Microsoft provides guidance on how to identify endpoints that may be susceptible to SMBv1 exploitation, as well as mitigation techniques that are still applicable today.

Process names that are consistent with WannaCry binaries

This detection analytic will identify processes that are executing with process names that are consistently observed in use by WannaCry binaries.

process_name == mssecsvc.exe
process_name == tasksche.exe

LSASS spawning processes

This detection analytic will identify instances of the Local Security Authority Subsystem Service (lsass.exe) spawning processes that are not typically observed being launched by lsass.exe. LSASS is an injection target for WannaCry, as detailed by Microsoft.

parent_process == lsass.exe
process_name != 'werfault.exe' || 'lsass.exe'

WannaMine cryptominer (ranked #57 in 2021)

WannaMine, a portmanteau of WannaCry and Mine, is a malware family that focuses on deploying coinmining payloads. The “Wanna” part of the name of this threat comes from the use of the same ETERNALBLUE vulnerability that WannaCry leveraged. While WannaMine may be old news to some, Red Canary observed new infections throughout the course of 2021. There’s a reason why vendors are still producing articles providing guidance around WannaMine cleanup and remediation.

PowerShell executing with NoProfile and NonInteractive CLI parameters

This detection analytic identifies instances of powershell.exe executing with the strings -nop and -noni in the command line, which are shortenings for the PowerShell parameters NoProfile and NonInteractive. These command-line parameters are rarely observed together legitimately, making for another analytic that can be used to identify a multitude of threats, not just WannaMine.

process == powershell.exe
command_line_includes ('-nop' && '-noni')

Honorable mention

Zloader is neither a “USB stowaway” nor a “network worm,” and though it never causes enough of a stir to breach our top rankings, it still deserves an honorable mention as a latent threat. The adversaries behind Zloader typically devise innovative ways to reach their victims before making the news with their next campaign, yet even with the latest passing headline, they often still rely on less novel TTPs that can give their presence away.

Zloader (ranked #53 in 2021)

Zloader is a banking trojan that has targeted victims through a variety of avenues since 2016. Though its TTPs have changed over the years, the driving force behind Zloader continues to appear to be financial motivation. In mid 2020, Zloader’s operators began delving into delivering ransomware alongside their more typical banking trojan payloads, elevating our concern whenever we detect a threat that is consistent with Zloader activity. Zloader makes this list because it is another threat that you may not hear much from for a few months but is always likely to creep its way back.

PowerShell modifying Windows Defender exclusions

This detection analytic identifies instances of PowerShell issuing commands to modify Windows Defender exclusion policies. This activity is consistent with ZLoader activity that occurs prior to the execution of follow-on payloads. Additional threats, such as Purple Fox, leverage this TTP as well.

process == powershell.exe
command_line_includes('Add-MpPreference' || 'Set-MpPreference') 
command_line_includes('ExclusionExtension' || 'ExclusionPath' || 'ExclusionProcess')

Even if you’re not seeing them in headlines, it is important to evaluate threats that have been known to be problems in the past. If your least favorite adversary has gone dormant, there’s a chance that they may come back using many of the same TTPs. Make sure your endpoints are up to date with the latest patches, and if you find yourself to be afflicted by the many threats that we have outlined today that abuse Autorun functionality, you may want to consider disabling Autorun across the organization.