Liner notes
Threat sounds vol. 3: The 2023 Threat Detection Report playlist
We’re excited to press play on Threat sounds vol. 3, a playlist to accompany the 2023 Threat Detection Report. Like we did in 2021 and 2022, we picked a song for each of the most prevalent threats, trends, and ATT&CK techniques Red Canary observed in 2023. Read our liner notes below, and listen to the whole songs on Spotify!
Side 1: Threats
1. Qbot
“Ain’t No Rest for the Wicked” by Cage the Elephant
There was no rest for our number one threat last year. While Qbot’s operators appeared to take vacations in both 2021 and 2022, they reemerged with a vengeance in the fall. After all, money don’t grow on trees.
2. Impacket
“This is Not a Test” by She and Him
While about half of the Impacket behavior we run into comes from customer-confirmed testing, ransomware operators and other adversaries use the library of Python scripts for post-exploitation activity.
3. AdSearch
“False Advertising” by Bright Eyes
It can be heartbreaking when you click on an online ad for a miracle product and end up with malware instead. That tummy-flattening tea is in fact too good to be true.
4. Gootloader
“Little Drop of Poison” by Tom Waits
Gootloader’s operators use a little drop of SEO poison to lure victims into downloading a malicious ZIP archive. Symptoms of a Gootloader infection might include Tom Waits-levels of rasp in your voice.
5. Mimikatz
“Pass the Dutchie” by Musical Youth
This open source password-dumping utility is the secret sauce behind “Pass the Hash” attacks.
6. SocGholish
“Ghosts ‘n’ Stuff” by Deadmau5
This malware family leverages drive-by downloads to trick users into executing malicious JavaScript ‘n’ stuff.
7. Raspberry Robin
“Raspberry Robin” by Christopher Treitsch
We’re just stunned this song exists at all. Call us, Christopher.
8. Cobalt Strike
“If You Can’t be Good, be Gone” by the Steeldrivers
Despite good-faith efforts from Cobalt Strike’s developers to prevent adversaries from cracking this post-exploitation tool, ransomware operators are still abusing older versions of the software.
9. BloodHound
“Hound Dog” by Big Mama Thornton
Adversaries use the BloodHound open source tool to sniff around Active Directory environments, making them no friend of ours.
10. Gamarue
“I Will Survive” by Cake
More than five years after an attempted takedown, Gamarue has survived, often spreading via infected USB drives, an initial access vector that also won’t seem to die.
Featured: Yellow Cockatoo
“Old Yellow Bricks” by Arctic Monkeys
Love’s a risk, and so are search engine redirects. We recommend blocking newly registered and low-reputation domains to avoid the .NET remote access trojan (RAT) associated with Yellow Cockatoo.
Featured: Emotet
“It’s Been a While” by Staind
After a largely dormant 2021, it had been a while since we’d seen Emotet in customer environments, almost as long as it had been since we thought about the band Staind.
Featured: PlugX
“X Gon’ Give it To Ya” by DMX
In 2022, Red Canary observed the PlugX remote access trojan (RAT) giving it to customers in manufacturing, construction, insurance, and international nonprofits.
Side 2: Techniques
1. Windows Command Shell (T1059.003)
“The Shell” by Lucy Dacus
Windows Command Shell overtook its cousin PowerShell as the number one adversary technique Red Canary observed in 2022. Hopefully things won’t be awkward at Thanksgiving.
2. PowerShell (T1059.001)
“Seven Nation Army” The White Stripes
PowerShell commands are like the power chords of the Windows operating system: simple building blocks that add up to something bigger. The question is: Which is more annoying—a destructive computer worm or an incessant earworm?
2. Windows Management Instrumentation (T1047)
“Bust Your Windows” by Jazmine Sullivan
Because Windows Management Instrumentation (WMI) is a native feature, malicious activity often blends in with legitimate activity, enabling attacks that could ultimately bust your Windows.
4. Obfuscated Files or Information (T1027)
“Invisible String” by Taylor Swift
Adversaries can make key strings of malicious code invisible to the naked eye (and even some detection tools) by using obfuscation techniques such as Base64 encoding, string concatenation, substrings, and escape characters
5. Rundll32 (T1218.011)
“We Run This” by Missy Elliot
While there are plenty of legitimate reasons to run this native Windows process, we’ve seen adversaries run it to commit misdemeanors…and worse.
6. Ingress Tool Transfer (T1105)
“Drop it Like it’s Hot” by Snoop Dogg
After gaining initial access to a victim system, adversaries often leverage native Windows binaries to drop their own hot tools into an environment.
7. Process Injection (T1055)
“Run Run Run” by the Velvet Underground featuring Nico
Code can inherit the privilege level of the process it’s injected into, so adversaries often run run run seemingly benign processes as proxies to have a little fun.
8. Service Execution (T1569.002)
“Wherever, Whenever” by Shakira
Here’s the deal, my dear: Services like services.exe and svchost.exe enable adversaries to execute malicious code wherever, whenever, often at a high privilege level.
9. Rename System Utilities (T1036.003)
“My Name is Jonas” by Weezer
By renaming system utilities to something inconspicuous (like Jonas, for example), adversaries can bypass detection controls that flag certain process names and paths.
10. LSASS Memory (T1003.001)
“Ghost in the Machine” by SZA featuring Phoebe Bridgers
When SZA asks “Can I get into the app, what’s the password?” Phoebe Bridgers should tell her to look for the hashes stored in LSASS memory!
Featured: Modify Registry (T1112)
“Love on Top” by Beyonce
In a nod to how adversaries modify registry keys like HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, we picked the Queen Bey song with the most key changes (four!).
Featured: Gatekeeper Bypass (T1553.001)
“Gatekeeper” by Feist
Gatekeeper, Mac users wait for your nod. Adversaries have found ways to circumvent the additional security checks performed by Apple’s Gatekeeper feature.
Featured: Setuid and Setgid (T1548.001)
“Svefn-g-englar” by Sigur Ros
Out of context, the bits you modify to set permissions based on user ID (Setuid) and group ID (Setgid) could pass for Sigur Ros lyrics.
Featured: Mark-of-the-Web Bypass (T1553.005)
“See No Evil” by Television
Adversaries can bypass Windows’s Mark-of-the-Web security check by embedding their payloads in stealthy file format, such as .iso, to make it so defenders see no evil.
Featured: SMB/Admin Shares (T1021.002)
“We R Who We R” by Ke$ha
Although Ke$ha dropped hers, Windows still uses the $ sign to mark a shared drive or folder, e.g., ADMIN$
Featured: Multi-Factor Authentication Request Generation (T1621)
“Let me in” by R.E.M.
Adversaries flood users with MFA requests, asking to be let in over and over until the user relents out of annoyance. Maybe that’s how R.E.M. managed to get inducted into the Rock ‘n’ Roll Hall of Fame before their fellow Athenians, the B-52s.
Bonus tracks: Trends
Ransomware
“Ransom” by blink-182
The original blink-182 lineup got back together in 2022, and so did several former Conti ransomware operators, operating under new names such as Black Blasta and Quantum.
Initial access tradecraft
“Everything Old is New Again” by Peter Allen
Cybercriminals or hipsters? Adversaries resurfaced some vintage initial access tradecraft in 2022, including exploiting unusual file types such as LNK and MSI.
Command and control (C2) frameworks
“Under Control” by The Strokes
While Cobalt Strike and Metasploit remain the most popular command and control (C2) frameworks, in 2022 we saw some adversaries keeping things under control via alternatives such as Brute Ratel, Silver, and Mythic.
Stealers
“Been Caught Stealing” by Jane’s Addiction
We caught malware like RedLine, Raccoon, and Vidar stealing credentials and other sensitive information from customers in multiple industries in 2022.
Identity
“Same OI’ Mistakes” by Rihanna
Adversaries have multiple avenues of circumventing authentication mechanisms to impersonate users, kind of like when Rihanna covered this Tame Impala song and everyone thought it was an original.
Email threats
“New Rules” by Dua Lipa
After successfully compromising a user’s email account, adversaries can create custom inbox rules so that any unauthorized messages sent or received are automatically deleted or forwarded to an obscure folder. We observed this tactic firsthand when we thwarted an attempted payroll diversion scam.
Adversary emulation and testing
“Fight Test” by The Flaming Lips
In total, known tests accounted for 40 percent of threats that Red Canary detected in 2022, a year-over-year increase of roughly 20 percent. This is great news! It makes us want to crowd surf in a giant hamster ball!