Rose Flamingo relies on search engine optimization (SEO) poisoning to trick victims into infecting themselves.
Editors’ note: While the analysis and detection opportunities remain applicable, this page has not been updated since 2022.
Rose Flamingo is an activity cluster named by Red Canary that focuses on opportunistic, financially motivated malware as an initial access broker. Rose Flamingo targets victims who are looking to download licensed software without having to pay for it. Payloads related to Rose Flamingo typically arrive as archive files that are distributed via phony file-sharing websites purporting to provide users with “free” cracked software packages. To lure potential victims, the adversaries behind Rose Flamingo use search engine optimization (SEO) poisoning to elevate a malicious site’s search ranking.
Rose Flamingo victims will typically download a ZIP archive file containing two files at a minimum. Archives related to Rose Flamingo may contain words like ​​free
, key
, download
, license
, latest
, ISO
, and crack
. While these archives usually appear as ZIP files, they infrequently appear as other compressed archive formats as well. The files in a typical Rose Flamingo archive are a “password” text file and one password-protected archive. Some iterations of these “password” files contain the password and some classic ASCII art, as shown below, though the purpose behind the art is unknown. This type of delivery method conceals the malicious payloads that are contained within the password-protected archive from any prying security software.
While we created the Rose Flamingo naming convention to help us track activity we consider to be related, there’s a growing body of external research documenting components that partially overlap with what we define as Rose Flamingo. Much of this emerging research dropped in 2021, and it’s worth reviewing for anyone who is interested in learning more about related activity:
Because none of us have perfect visibility, we appreciate that other teams share their perspective and how they track these threats.
As seen in our Intelligence Insights rankings from month to month, Rose Flamingo made our top 10 list for the first time in July 2021, climbing to eighth place for most prevalent threats that month. It also made our top 10 in September and October 2021. Red Canary has observed Rose Flamingo delivering various stealers such as Cryptbot, RedLine, and Raccoon, in addition to more concerning payloads such as STOP ransomware. We will continue birdwatching as we look for new opportunities to observe and take action when threats like Rose Flamingo find a new place to roost.
password
This detection analytic will identify processes making file modifications for ZIP archive files and TXT files with the string password
in them, which we commonly observe in Rose Flamingo activity. The password files may contain different naming variations, such as p@ssword
or passw0rd
. Detecting TXT files with these strings may generate fewer false positives. If you have trouble getting this detection opportunity to work, you may find further success focusing on application processes that are responsible for handling archives in your organization, such as 7zip.
filemod_includes ('zip')
&&
filemod_includes ('password' && 'txt')
This detection analytic will identify unusual processes that contain naming schemas that have been observed in use by loaders related to Rose Flamingo archives.
process_name_includes ('main-' || 'installer-v' || 'main_setup_x86x64' || 'x86_x64_setup' || 'setup_x86_x64')
This detection analytic will identify files and file paths that contain strings commonly observed in archives delivered by Rose Flamingo.
filepath_includes ('-free' || '-crack' || '-download' || '-key' || '-license' || '-iso' || '-lnstall')
||
filename_includes ('-free' || '-crack' || '-download' || '-key' || '-license' || '-iso' || '-lnstall')
&&
filename_includes ('zip' || '7z' || 'rar')
Get curated insights on managed detection and response (MDR) services, threat intelligence, and security operations—delivered straight to your inbox every month.