Red Canary: October 2022 Intelligence Insights
Category: Malware Campaigns | Industry: Global | Level: Tactical | Source: Red Canary
Red Canary updates its intelligence insights for October 2022. Comparing their telemetry data between September and October 2022, for top threats, Qakbot malware retained its spot at number one, followed by the Impacket python classes at number two. The most substantial change was the rise of Mimikatz usage, since Red Canary's September top ten, didn't feature Mimikatz however, for October, the credential harvesting tool skyrocketed into the third spot. Bloodhound and Raspberry Robin malware, round out October's top five. Red Canary dove deeper into the trending Qakbot threat, observing the malware's activity comes in waves. "Qbot historically cycles from very high levels of activity to quiet near-dormancy." With the malware being used more frequently, the operators change indicators for the malware more frequently. In previous campaigns, Qakbot indicators were fairly stable. Some consistent features during the year have f living-off-the-land-binaries (LOLBins), and regsvr32 and rundll32, to initiate network connections, however no arguments in the command line. Reconnaissance activity from injected Qakbot processes such as wermgr.exe have also continued to be consistently used.
Anvilogic Use Cases:
- Wscript/Cscript Execution
- Rundll32 Command Line
- regsvr32 Execution