Threat: New activity cluster
Rose Flamingo
Rose Flamingo relies on search engine optimization (SEO) poisoning to trick victims into infecting themselves.
Pairs with this song Threat Sounds
One of several new activity clusters we identified last year, Rose Flamingo targets victims who are looking to download licensed software without having to pay for it. A “password” text file is this adversary’s power, pleasure, and pain.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
Analysis
Rose Flamingo is an activity cluster named by Red Canary that focuses on opportunistic, financially motivated malware as an initial access broker. Rose Flamingo targets victims who are looking to download licensed software without having to pay for it. Payloads related to Rose Flamingo typically arrive as archive files that are distributed via phony file-sharing websites purporting to provide users with “free” cracked software packages. To lure potential victims, the adversaries behind Rose Flamingo use search engine optimization (SEO) poisoning to elevate a malicious site’s search ranking.
Rose Flamingo victims will typically download a ZIP archive file containing two files at a minimum. Archives related to Rose Flamingo may contain words like free, key, download, license, latest, ISO, and crack. While these archives usually appear as ZIP files, they infrequently appear as other compressed archive formats as well. The files in a typical Rose Flamingo archive are a “password” text file and one password-protected archive. Some iterations of these “password” files contain the password and some classic ASCII art, as shown below, though the purpose behind the art is unknown. This type of delivery method conceals the malicious payloads that are contained within the password-protected archive from any prying security software.
While we created the Rose Flamingo naming convention to help us track activity we consider to be related, there’s a growing body of external research documenting components that partially overlap with what we define as Rose Flamingo. Much of this emerging research dropped in 2021, and it’s worth reviewing for anyone who is interested in learning more about related activity:
- In January 2021, CSIS Security Group released research referencing infrastructure and payloads that overlap with Rose Flamingo.
- In March 2021, Fortinet detailed a threat called Netbounce, which uses a similar file-naming convention and has some overlapping infrastructure.
- Just about a week later in March 2021, Proofpoint published research about a threat they call CopperStealer (Mingloa), describing infrastructure and payload-naming conventions that are very similar to Rose Flamingo’s.
- In June 2021, an Ahnlab report described a threat called Cryptbot, detailing files used for delivery that appear to overlap with Rose Flamingo’s file-naming conventions.
- In late July 2021, BitDefender joined the party, helping corroborate many of our own observations with their MosaicLoader whitepaper, a great report that touches on much of the initial loader activity we’ve observed in Rose Flamingo-related incidents.
- Last but not least, in September 2021, SophosLabs released research that focuses on a content delivery network that has many infrastructure and payload overlaps with our analysis.
Because none of us have perfect visibility, we appreciate that other teams share their perspective and how they track these threats.
As seen in our Intelligence Insights rankings from month to month, Rose Flamingo made our top 10 list for the first time in July 2021, climbing to eighth place for most prevalent threats that month. It also made our top 10 in September and October 2021. Red Canary has observed Rose Flamingo delivering various stealers such as Cryptbot, RedLine, and Raccoon, in addition to more concerning payloads such as STOP ransomware. We will continue birdwatching as we look for new opportunities to observe and take action when threats like Rose Flamingo find a new place to roost.
Detection opportunities
Archive containing ZIP and TXT files containing password
This detection analytic will identify processes making file modifications for ZIP archive files and TXT files with the string password in them, which we commonly observe in Rose Flamingo activity. The password files may contain different naming variations, such as p@ssword or passw0rd. Detecting TXT files with these strings may generate fewer false positives. If you have trouble getting this detection opportunity to work, you may find further success focusing on application processes that are responsible for handling archives in your organization, such as 7zip.
filemod_includes ('zip')
&&
filemod_includes ('password' && 'txt')Potential Rose Flamingo loader
This detection analytic will identify unusual processes that contain naming schemas that have been observed in use by loaders related to Rose Flamingo archives.
process_name_includes ('main-' || 'installer-v' || 'main_setup_x86x64' || 'x86_x64_setup' || 'setup_x86_x64')Potential Rose Flamingo archive
This detection analytic will identify files and file paths that contain strings commonly observed in archives delivered by Rose Flamingo.
filepath_includes ('-free' || '-crack' || '-download' || '-key' || '-license' || '-iso' || '-lnstall')
||
filename_includes ('-free' || '-crack' || '-download' || '-key' || '-license' || '-iso' || '-lnstall')
&&
filename_includes ('zip' || '7z' || 'rar')