Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Red Canary Profile picture
@redcanary
Feb 18, 2022 6 tweets 1 min read Read on X
Over the past few hours, we’ve observed malicious phishing emails associated with the delivery affiliate TR in multiple customer environments. The infection scheme was consistent, executing in the following pattern: OneDrive phishing page -> ZIP download -> malicious XLSB -> Qbot
The ZIP file and XLSB had formats similar to `123 (1).zip/123.xlsb`. The Excel macros downloaded a Qbot binary with an OCX file extension to the TR-specific folder “C:\Watdan” and executed it with the command `regsvr32 C:\Watdan\tle1.ocx`
We observed reconnaissance commands and lateral movement next, and the adversary dropped Cobalt Strike and Bloodhound, common post-exploitation tools, into victims’ environments. This progression of activity is a common ransomware precursor.
#RCIntel wanted to provide some detection opportunities for the community based on this information to empower defenders to respond to this activity in near real-time.
First, we recommend looking for instances of regsvr32 spawning from an excel.exe parent process. Additionally, if regsvr32 spawns an explorer.exe process, this should be prioritized for immediate investigation.
Also look out for rundll32.exe processes with no command-line arguments, with a file modification that contains ‘\pipe’. This could be an indication of Cobalt Strike behavior. It is also suspicious if rundll32 has no CLI arguments and a network connection.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Red Canary

Red Canary Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @redcanary

Red Canary Profile picture
Nov 3, 2021
SQUIRRELWAFFLE is a malware loader that first emerged in September 2021 and is often a delivery mechanism for Qbot. We’ve seen it rapidly deliver Cobalt Strike and Bloodhound, which we frequently observe preceding impactful threats like ransomware. 1/4
This activity is novel due to its speed. SQUIRRELWAFFLE can lead to Cobalt Strike and Bloodhound within 90 minutes of the initial infection. The adversary is using a legitimate NVIDIA binary to load a malicious Cobalt Strike DLL, making the threat potentially evasive. 2/4
DETECTION OPPORTUNITIES:

1) look for =`excel.exe` spawning `regsvr32.exe` with `test1.test` in the command line

2) look for a process with an internal name of `net.exe or `net1.exe` along with a command line that includes `domain admins`.

3/4
Read 4 tweets
Red Canary Profile picture
Mar 6, 2021
We sat down with @likethecoins, director of intelligence at Red Canary, to chat about the Microsoft Exchange activity happening and share what we’re seeing. Check out what she had to say in the thread. #RCintel Image
Q1: What do we know about the adversaries exploiting the recent Exchange vulnerabilities? #RCintel
There’s a lot of confusion rn. Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities. -Katie Nickels #RCintel (1/2)
Read 22 tweets
Red Canary Profile picture
Mar 5, 2021
We’ve detected suspicious activity in multiple environments today, and, while we haven’t yet observed a payload, we’re concerned the activity may be the result of Exchange Server compromise. 1/7 #RCintel Image
What we’re observing is consistent with DLTminer precursor activity uncovered by @vmw_carbonblack in 2019, specifically its use of scheduled tasks to execute PowerShell and make external network connections. carbonblack.com/blog/cb-tau-te… 2/7 Image
Prior to the Scheduled Task and PowerShell activity, we’re seeing the adversary leverage the IIS Worker process (w3wp.exe) to spawn the Command Processor in a manner that’s consistent with web shell activity. 3/7 Image
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(