Even though there is a drop in the level of activity linked with Yellow Cockatoo and TA551, a rise in Qbot and Gamarue threats is observed in a new intelligence report.
November began with security researchers observing a rise in the use of Qbot malware and dangerous phishing activity to spread the Squirrelwaffle downloader, a growing threat transmitted via the TR botnet and has the same infrastructure as the QakBot banking malware, Red Canary’s November 2021 Threat Report revealedOpens a new window .
Around the same time, the level of activity linked with Yellow Cockatoo, a remote access trojan (RAT) and cybercrime group TA551 plummeted. TA551, active since 2016 and known for carrying out email-based malware distribution campaigns, impacted around 1.1% of users in October, compared to 2.5% in September. Yellow Cockatoo, meanwhile, affected just 1.1% of Red Canary’s clients in October, compared to 2.7 % in September.Â
Even though many malicious activities dropped between September and October, IT security teams shouldn’t underestimate the surge in Qbot and Gamarue activity.
See More: Emotet Malware Resurfaces After 10 Months in Exile
The team at Intel monitored the ten most common threats for the last few months. These threat prevalence rankings are based on the number of distinct customer settings where each threat was discovered. The figures for October 2021 are as below:
Source: Red Canary
Emerging threats that should be on your radar
1. NodeJS with a side of XMRig
While the consequences of a recent hack of a popular NPM package appear to be minor, the event served as a sobering reminder of how attackers might take advantage of businesses’ dependence on reliable development tools.
NPM, a package distribution and management application for JavaScript libraries, was hacked in October 2021, according to Red Canary. An XMRig cryptominer was deployed to Windows and Linux computers and an info stealer (presumably DanaBot) to Windows systems in the corrupted version of the program. GitHub promptly released an alert, warning users that upgrading that package, or anything that relied on it, would cause malicious behavior on impacted computers, even though the package is downloaded roughly 8 million times each week and the damage may have been broad.
See More: Legacy Tools Missed Nearly 74% Malware Strikes in Q1 This Year: WatchGuard
2. Delivery affiliate TR observed exploiting Microsoft Exchange products
In late October, Red Canary saw an increase in detections between TR (a delivery affiliate) and the SquirrelWaffle downloader. Additional payloads and domain reconnaissance started within minutes in some situations when the experts noticed TR transmitting SquirrelWaffle. The detection, along with indications that the new TR tradecraft can bypass some email safeguards, emphasizes the need to detect and respond to these activities in real-time to avert late-stage activity like ransomware.
Red Canary noted that by exploiting Microsoft Exchange on-premises products, TR, a delivery affiliate, can access systems, control enterprise email servers, and access enterprise email accounts. This way, the threat actor can send and receive email from a victim’s account with the legitimacy of a trusted, internal sender.
3. The resurgence of Gamarue malware
Gamarue is a malware family that is used as part of a botnet. Some Gamarue varieties are worms that transmit through infected USB devices. Gamarue has also been used to propagate additional malware, steal data, and engage in other criminal activities, including click fraud. Before the operator was apprehended in 2017, this virus had been spotted for over ten years and had mutated into several forms.
Gamarue is still a danger, even if it is no longer actively developed. This emphasizes the point that even if a danger is no longer current, defenders entrusted with responding to threats shouldn’t lower their defenses.
Identifying ransomware precursors
Researchers at Red Canary saw Conti and Lockbit impacting various client settings in October. Fortunately, there are various ways to identify these dangers’ antecedent behaviour.
- Conti precursor activity: In October, the researchers discovered numerous additional Qbot TTPs in Conti-encrypted contexts. Qbot was seen injecting Conti DLLs into Microsoft Synchronization Center (mobsync.exe) and dropping them. Qbot also injected itself into Windows Error Reporting (werfault.exe) without any command-line inputs. The adversary then copied the malicious DLLs to various places on the system using the xcopy programme.There are several ways to identify this activity in your surroundingsOpens a new window .
- Lockbit precursor activity: During a recent Lockbit infection, the operators used PsExec to run a batch script that ran a series of instructions to prepare the environment for encryption. The following actions were shown by the batch script:
- set antivirus exclusion paths for C:Programdata and C:Windows that allowed malicious binaries to exist in these paths without interference
- Deleted the Windows Defender service
- Disabled Windows Defender, User Account Control (UAC), and Windows Recovery
- Turned off all firewall rules
- Cleared multiple System and Security logs
- The defense evasion and system recovery commands initiated by the script offer multiple detection opportunities.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!