Trend
Initial access tradecraft
Adversaries employed tried-and-true initial access methods in 2023, with a few new variations on perennial themes.
Pairs With This SongThreat Sounds
Like certain types of multi-factor authentication (MFA), the editors of this report are known to be Phish-resistant. But this year we relented after discovering a Phish song under five minutes long.
In 2023 we saw continued use of perennial favorite techniques. Phishing remains an evergreen issue, and this year adversaries continued to leverage a variety of file types in their phishing emails to deliver malicious payloads. SEO poisoning and malvertising continued to be popular, with new threats taking inspiration from established malware families. We saw a steady stream of new vulnerabilities exploited by adversaries from ransomware operators to state-sponsored threats, emphasizing the need to maintain patch levels both internally and within the supply chain.
Phishing trends: A variety of file types still in use
In 2023 adversaries continued to leverage a variety of different file types in attempts to bypass security features like Mark-of-the-Web (MOTW). Compressed archives (ZIP, RAR) and container files (ISO, VHD) are types of files that may not have the MOTW, meaning they won’t be restricted, blocked, or generate warning prompts in the same way as files that do contain the mark. In November 2022, Microsoft released a security update that propagated MOTW identifiers to some ZIP and ISO files, and subsequently adversaries pivoted to new options.
- One example at the beginning of 2023 was the abuse of OneNote files to deliver payloads like Qbot. In one campaign in February, phishing emails delivered malicious OneNote attachments. User interaction opened and executed an embedded HTML Application file (
.hta
), a batch script file (.bat
), or PowerShell script file (.ps1
), which then pulled down the next stage payload. In May 2023, OneNote was updated to block embedded files with commonly abused extensions by default. - Beginning in July and continuing through December 2023, Red Canary observed adversaries using MSIX files to deliver malware. MSIX is a Windows application package installation format that IT teams and developers increasingly use to deliver Windows applications within enterprises. The initial access vector appeared to be malicious advertising or SEO poisoning to trick victims into believing they were downloading legitimate software like Grammarly, Microsoft Teams, Notion, and Zoom. For more technical details, refer to our Installer Packages technique page.
Other security researchers reported adversaries using non-email delivery vehicles for their malicious links in 2023. While it’s not a new technique, adversaries including a QR code in phishing attempts is becoming more common; open-source intelligence suggested an increase in QR code phishing, or “quishing“, activity beginning in September 2023 and continuing through October. Additionally, Microsoft shared details of multiple campaigns using a combination of targeted social engineering and Teams chats to deliver phishing lures in 2023.
SEO poisoning
Search engine optimization (SEO) poisoning continued to be an effective technique for gaining initial access in 2023. Threats already leveraging SEO poisoning—including SocGholish, Yellow Cockatoo, and various stealers—maintained their prevalence using this technique. Several newcomers to the threat landscape, likely noting the success of threats like SocGholish, adopted similar fake browser update lures delivered via SEO poisoning. Adversaries create malicious websites that use SEO techniques like placing strategic search keywords in the body or title of a webpage. They attempt to make their malicious sites more prominent than legitimate sites when search results are returned by Google and other search engines. As an example, Zloader has used keywords like “free software development tools” to encourage victims to navigate to their site and download malicious installers. As another example, Gootloader has used websites claiming to offer information on contracts and other legal or financial documents.
Malvertising
SEO poisoning is not the only way adversaries use search engines to their advantage. Malicious advertising, also called “malvertising,” persisted in 2023, as seen with our most prevalent threat of the year, Charcoal Stork, and related malware ChromeLoader and SmashJacker. Malvertising is the use of fake ads on search engine pages that masquerade as legitimate websites to download software like Zoom, TeamViewer, or various software updates.
Vulnerability exploitation
Vulnerability exploitation is nothing new, and 2023 saw its fair share of new CVEs being exploited in the wild. In November 2023 we saw adversaries exploiting a Confluence vulnerability to ultimately deploy ransomware. In addition to ransomware, notable large-scale incidents—like the 3CX compromise in May of 2023 and MOVEit in late May and early April—show how vulnerabilities up the supply chain can have significant downstream consequences for organizations. For more on vulnerability exploitation and what organizations can do to address it, check out the Vulnerabilities trend page.
Take action
Preventing container files from executing can be an effective way to avert damaging intrusions that attempt to evade MOTW controls. If your users do not have a business need to mount container files, we recommend taking steps to prevent Windows from auto-mounting container files.
One way to mitigate the effects of SEO poisoning is to prevent the malicious files from being able to execute. For example, Gootloader uses JScript (.js
) files. If your users do not have a need to execute .js
files, associating .js
files to open with notepad.exe
instead of wscript.exe
can prevent automatic execution of their malicious content.
Some of the best ways to minimize the risk of vulnerability exploitation in your environment include:
- patching regularly
- maintaining an up-to-date asset inventory to let you know if the affected product is present in your environment
- being aware of your surface area and what is exposed to the internet
Detection opportunities
Detect suspicious ISOs named using common phishing themes
It is common for phishing attacks to have a theme, especially financial or business themes using words like “invoice” or “contract.” There is no reason that a contract or invoice should be formatted as an ISO. This detection analytic helps identify an ISO saved to a suspicious location that includes words common to current phishing campaigns.
filemod_includes (.iso)
&&
file_path_includes ('Users' || 'Downloads' || 'AppData')
&&
filename_includes ('contract' || 'invoice' || 'document')
Identify malicious Windows Script Host commands attempting to load ZIP and JS files
Malicious scripts and malware are often compressed using ZIP files in order to evade security controls. Adversaries frequently use wscript.exe
to execute the initial commands in this infection chain and to download other malware, run other malicious code, or create persistence via a registry key.
process == (wscript)
&&
command_includes ('users' || 'temp')
&&
comand_includes ('.zip' || '.js')
&&
has_external_netconn
Identify cmd.exe
executing a Windows shortcut (LNK) file
The following pseudo-detector looks for the execution of cmd.exe
along with a command line containing .lnk
and suspicious child processes. Adversaries have leveraged this behavior in malware and post-exploitation frameworks. Child processes should be investigated for malicious activity.
process == (cmd.exe)
&&
command_includes (.lnk)
&&
child_process == ('powershell' || 'cmd' || 'wmic' || 'mshta')
Testing
Start testing your defenses against initial access tradecraft using Atomic Red Team—an open source testing framework of small, highly portable detection tests mapped to MITRE ATT&CK.
Getting started
Atomic Red Team boasts many different ways of emulating initial access activity across many different ATT&CK techniques. The following techniques are a good starting point for most security teams seeking to validate their detective controls:
Review and repeat
Now that you have executed one or several common tests and checked for the expected results, it’s useful to answer some immediate questions:
- Were any of your actions detected?
- Were any of your actions blocked or prevented?
- Were your actions visible in logs or other defensive telemetry?
Repeat this process, performing additional tests related to this technique. You can also create and contribute tests of your own.