# See what it's like to have a partner in the fight. **redcanary.com/blog/intelligence-insights-december-2021** _Each month, the Intel team provides Red Canary customers with an analysis of trending,_ _emerging, or otherwise important threats that we’ve encountered in confirmed threat_ _detections, intelligence reporting, and elsewhere over the preceding month. We call this_ _report our “Intelligence Insights” and share a public version of it with the broader infosec_ _community._ ## Highlights **Editor’s note: We realize much of the cybersecurity community is focused on the Log4j** vulnerability right now, and we’re tracking that too. The post-exploitation activity we’ve observed remains fairly low at this time, though that could change. While the Log4j vulnerability is undoubtedly important, we want to continue to release intelligence about all the other threats we’ve seen that are still impacting enterprises. Some of the threats in our top 10, such as [Cobalt Strike and](https://redcanary.com/threat-detection-report/threats/cobalt-strike/) [Mimikatz, have been observed in activity following](https://redcanary.com/threat-detection-report/threats/mimikatz/) exploitation of the Log4j vulnerability. This underscores the importance of continuing to track prevalent threats and entire chains of activity while also taking actions to remediate such a widespread vulnerability. ----- As we ve done for the past few months, we again looked at the 10 most prevalent threats encountered in the environments that Red Canary monitors. These prevalence rankings are based on the number of unique customer environments in which we observed each threat. Here’s how the numbers shook out for November 2021: TOP THREATS IN NOVEMBER 2021 **November rank** **Threat name** **Percent of customers affected** November rank : ⬆ 1 November rank : ⬆ 2* November rank : ⬇ 2* November rank : ⬆ 4 November rank : ⬆ 5 November rank : ⬇ 6 November rank : ⬆ 7 November rank : ⬆ 8* November rank : ⬆ 8* November rank : ⬇ 10* November rank : ⬆ 10* Threat name: Impacket Threat name: [Cobalt Strike](https://redcanary.com/threat-detection-report/threats/cobalt-strike/) Threat name: [Mimikatz](https://redcanary.com/threat-detection-report/threats/mimikatz/) Threat name: SocGholish Threat name: [Qbot](https://redcanary.com/threat-detection-report/threats/qbot/) Threat name: [TA551](https://redcanary.com/threat-detection-report/threats/TA551/) Threat name: Adload Threat name: TR Threat name: SquirrelWaffle Threat name: [Gamarue](https://redcanary.com/threat-detection-report/threats/gamarue/) Threat name: Ursnif Percent of customers affected : 1.9% Percent of customers affected : 1.5% Percent of customers affected : 1.5% Percent of customers affected : 1.3% Percent of customers affected : 1.1% Percent of customers affected : 1.0% Percent of customers affected : 0.9% Percent of customers affected : 0.8% Percent of customers affected : 0.8% Percent of customers affected : 0.7% Percent of customers affected : 0.7% ----- ⬆ = trending up from previous month ⬇= trending down from previous month ➡ = no change in rank from previous month *Denotes a tie ## Observations on trending threats **Qbot continued to climb the ranks on the back of TR phishing campaigns leveraging** **SquirrelWaffle. Both TR and SquirrelWaffle cracked our top 10 for the first time this month.** If you’re wondering why the payload (Qbot) is more prevalent than the initial access (TR), there are a few explanations. One is that there are multiple campaigns leading to Qbot. While TR is prolific, it is not the only source of the Qbot we see. Another reason that we sometimes see more later-stage activity rather than initial access is that it’s an artifact of onboarding customers during incident response. In many cases, our visibility into an environment begins in the middle of the attack chain—when the command and control bots (i.e., Qbot) are actively running but the ephemeral initial access has already run its course. **While it didn’t make our top 10, we saw more detections* for BazarBackdoor than** **we’ve previously seen in any single month. Phishing campaigns delivered** BazarBackdoor every Tuesday and Wednesday for the first three weeks of November. Despite this pattern in the timing, we observed variations in the phishing affiliate delivering the payload. For example, one affiliate that we had historically tied to Bazar recently began delivering Emotet as well. See the section“Guess who’s back…” below for details. *This increase applies both to the number of customer environments and the number of individual detections. **Conspicuously absent from this list is Yellow Cockatoo, which previously topped our** **charts. After a meteoric rise in late summer and early fall, Yellow Cockatoo was the most** prevalent threat we saw in Red Canary customers in September. This prolific pest perpetuated its preponderance throughout most of October, then vanished suddenly. This observation is consistent with the timeline of reporting from a researcher, going by the handle “SquiblyDoo,” who closely monitors Yellow Cockatoo activity. Squiblydoo’s research [trail appears to have gone cold after posting a blog in mid-October with updates on changes](https://squiblydoo.blog/2021/10/17/solarmarker-by-any-other-name/) in Yellow Cockatoo’s TTPs. Red Canary continues to monitor for signs of new activity and will update our coverage if—and when—anything changes. ## Guess who’s back, back again… Emotet’s back, tell a friend… ----- Months after a [coordinated effort disrupted their infrastructure and operations, Emotet has](https://www.justice.gov/opa/documents-and-resources-related-disruption-emotet-malware-and-botnet) returned and they’re changing things up. For the first time this month, we saw Emotet delivered via AppX bundles, suggesting that certain operators may be experimenting with ways to evade common defenses. **In November 2021, Red Canary observed Emotet delivered via AppX, a type of** **installer bundle used to distribute common Windows applications. In these** cases, victims interacted with a website spoofed to resemble an installer for Adobe PDF software, where they downloaded an AppX bundle containing an Emotet file. **Emotet activity in November also involved previously known delivery** **mechanisms. Much of the other Emotet activity we saw resembled variations on** Emotet campaigns of the past. In these cases, documents sent as attachments via email contained PowerShell code written to download Emotet payloads, which used the export Control_RunDLL for execution. Though we did not observe this activity firsthand, in mid November, security researchers observed Trickbot malware infections deploying Emotet payloads. **This evolving tradecraft complicates efforts to track and attribute activity. In the** case of the AppX bundles, Emotet appeared to use the same resources that were used by BazarBackdoor for deployment earlier in November. Since Red Canary observed the same activity and resources used by both families, we decided to track the AppX bundle deployment activity cluster under a separate name: Ultramarine Wren. As Emotet evolves and we observe its use in different activity clusters, we continue to track changes in behavior and corresponding ways to detect that behavior. ### Detection opportunity: Rundll32 execution with a unique function process_ name == `rundll32.exe` && command_line_contains == `Control_RunDLL` && command_line_ does_ not_ contain == `shell32` ## Recent increase in websell activity likely stems from exploitation of ADSelfService Plus RCE vulnerability Over November, Red Canary observed an increase in detections involving webshells. Further analysis suggests that many of these were likely the result of the exploitation of [CVE -2021-40539, a vulnerability in ADSelfService Plus. ADSelfService Plus is a common](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40539) password management and single sign-on (SSO) solution. Exploitation of this vulnerability can enable a range of nefarious follow-on activity, and multiple operators are reportedly ----- using this exploit in the wild. We are tracking behaviors related to known compromises and recommend that customers using ADSelfServicePlus apply the patch issued by ManageEngine. **[Researchers at Synactiv outlined in-the-wild use of tradecraft involving this](https://www.synacktiv.com/en/publications/how-to-exploit-cve-2021-40539-on-manageengine-adselfservice-plus.html)** **vulnerability that allowed Red Canary to identify a specific behavior consistently** **related to this attack chain. We saw operators use the Java utility** `keytool.exe to move` a recently installed webshell from an initial directory to a new location. ### Detection opportunity: Keytool.exe spawning Windows shell parent process parent_process_name== keytool.exe && process_name ==( cmd.exe || `powershell.exe )` **Failure to securely configure ADSelfService Plus can provide an adversary who** **exploits this vulnerability with immediate domain admin access. Administrators can** configure ADSelfService Plus in a variety of ways, giving varied levels of permissions to Active Directory users, ranging from local SYSTEM to full Domain Admin. In turn, if an adversary were to exploit CVE-2021-40539, they would be given that level of permission and access to the Active Directory. To properly secure ADSelfService Plus and protect Active Directory accounts, we strongly recommend that customers refrain from running [ADSelfService Plus with an elevated permissions account, such as Domain Admin. Instead,](https://download.manageengine.com/products/self-service-password/adselfservice-plus-privileges-permissions-requirement-guide.pdf) customers should use an unprivileged Active Directory account configured according to [guidance from ManageEngine.](https://www.manageengine.com/products/self-service-password/help/admin-guide/domain-settings.html) [Based on our observations and public reporting from CISA,](https://www.cisa.gov/uscert/ncas/alerts/aa21-259a) [Microsoft, and](https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/) Palo Alto’s Unit 42, it is clear that post-exploitation activity varies across intrusions. We continue to track activity related to this threat and expand our detection coverage to account for new variations. ### Detection opportunity: Excel spawning WMIC parent_process_name == `excel.exe` process_name == `wmic.exe` ### Detection opportunity: MSHTA execution without HTA file process name == `mshta.exe` command_line_does_not_contain == `.hta` ----- As always, the assessments in this report represent our best thinking based on our current visibility. To this end, we welcome the receipt of conflicting or contradictory information on these threats and acknowledge that our assessments are subject to change over time as we incorporate new information. To submit additional information for consideration, please contact [intel@redcanary.com.](http://10.10.0.46/mailto:intel@redcanary.com) Look familiar? [If you've run into any of these behaviors on your environment, let us know!](http://10.10.0.46/mailto:blog@redcanary.com) Related Articles Detection and response ### ChromeLoader: a pushy malvertiser Detection and response ### Intelligence Insights: May 2022 Detection and response ### The Goot cause: Detecting Gootloader and its follow-on activity Detection and response ### Marshmallows & Kerberoasting **Subscribe to our blog** Our website uses cookies to provide you with a better browsing experience. More [information can be found in our Privacy Policy.](https://redcanary.com/privacy-policy) X **Privacy Overview** This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. ----- These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience. Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. -----