Monthly Threat Brief: December 2024

Posted:
01/22/2025
| By:
Bryson Medlock

Welcome to the latest edition of the monthly threat brief published by the ConnectWise Cyber Research Unit™ (CRU). In this threat brief, we will provide raw data statistics, intel on the most common malware seen this month, and a list of new detection signatures added to the ConnectWise SIEM™ throughout December.  

For a more detailed explanation of the overall trends and analysis of these numbers, check out the 2024 MSP Threat Report. For comparison, November’s threat brief can be found here.

December 2024 stats

IOCs

The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources and any cybersecurity incident escalated by the ConnectWise security operations center (SOC). These IOCs are used for automated threat hunting and data enrichment to assist SOC analysts. Below is a summary of the IOCs collected.

25-DMDG-2129 - Figure 1.png

Figure 1: Summary of IOCs collected in December 2024

TTPs

The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by the ConnectWise SOC. This information helps us keep tabs on how threat actor behavior changes. Below are the top 10 MITRE ATT&CK® techniques for November 2024—provided for comparison—and December 2024.

25-DMDG-2129 - Figure 2.png

Figure 2: Top 10 MITRE ATT&CK techniques observed in November 2024

25-DMDG-2129 - Figure 3.png

Figure 3: Top 10 MITRE ATT&CK techniques observed in December 2024

Latest threats

Each month, we highlight threats that we have seen targeting our managed service provider (MSP) partners and their clients.

25-DMDG-2129 - Figure 4.png

Figure 4: Top five malware observed in December 2024

NetSupport Manager RAT

NetSupport Manager RAT is a program that enables users to manage and control other computers over a network. It functions as a “remote access trojan,” and while it’s intended for legitimate uses such as technical support and corporate network management, it can also be misused.

The software offers various features, such as:

  • Remote desktop control: Gives an administrator full access to the target computer’s screen and inputs
  • File transfer: Allows moving files between the computers
  • System inventory: Provides details about the target computer’s hardware and software
  • Hardware and software monitoring: Tracks system performance and installed applications
  • Chat functionality: Facilitates communication between the administrator and the target computer user

NetSupport Manager RAT operates by installing a client component on the target computer and a control component on the administrator’s computer. These components communicate via a network connection, enabling the administrator to access and control the target computer. However, remote administration tools, including NetSupport Manager RAT, can be used for malicious purposes. Cybercriminals frequently use similar software to infiltrate computers, steal confidential information, or carry out harmful activities without the user’s knowledge or consent.

NetSupport Manager RAT-1.png

NetSupport Manager RAT-1.png

FAKEUPDATES/FakeUpdates/SOCGholish

FakeUpdates, also known as FAKEUPDATES or SocGholish, is a prevalent malware campaign that emerged around 2018, characterized by its use of social engineering techniques to trick users into downloading malicious software disguised as legitimate updates. This malware is primarily delivered through compromised websites, where users are prompted with fake update notifications, typically for common software such as Adobe Flash Player or browser updates. These prompts are designed to appear authentic, exploiting users’ trust and urgency to keep their software up-to-date.

Once the user initiates the download, the malware installs a backdoor on the system, providing attackers with remote access and control. FakeUpdates is often used as a delivery mechanism for additional payloads, including ransomware, banking trojans, and information stealers. The attackers leverage this access to exfiltrate sensitive data, deploy further malware, or use the compromised systems for broader campaigns.

The widespread use of compromised legitimate websites and the convincing nature of the fake update prompts make FakeUpdates a significant threat, capable of impacting a wide range of users and organizations. Its persistence and adaptability in evading detection underscore the importance of robust cybersecurity practices and user education to mitigate such threats.

FAKEUPDATES-FakeUpdates-SOCGholish-2.png

FAKEUPDATES-FakeUpdates-SOCGholish-2.png

Emmenhtal/PEAKLight/IDATDropper

Emmenhtal, also known as PEAKLight or IDATDropper, is a sophisticated PowerShell-based downloader first identified in 2024. It employs a multi-stage infection process, often initiated through malicious ZIP files masquerading as pirated movies. These archives contain deceptive LNK files that, when executed, connect to content delivery networks (CDNs) hosting obfuscated, memory-only JavaScript droppers.

These droppers decrypt and execute PowerShell scripts, collectively referred to as PEAKLight, which then download and install various malware payloads, including infostealers such as LummaC2, SHADOWLADDER, and CRYPTBOT. A notable aspect of IDATDropper/PEAKLight is its use of legitimate CDNs to host malicious payloads, exploiting the inherent trust in these services to evade detection.

Additionally, the malware employs system binary proxy execution techniques, such as using “mshta.exe” to execute malicious code, further enhancing its stealth. This combination of tactics allows it to effectively bypass traditional security measures, posing significant challenges for detection and mitigation.

Emmenhtal-PEAKLight-IDATDropper-3.png

Emmenhtal-PEAKLight-IDATDropper-3.png

Lumma Stealer/LummaC2

Lumma Stealer, also known as LummaC2, is an information-stealing malware written in C that has been available through a malware-as-a-service (MaaS) model on Russian-speaking forums since at least August 2022. Developed by a threat actor known as “Shamel” or “Lumma,” this malware specializes in exfiltrating sensitive data from compromised systems, including passwords, browser information, cryptocurrency wallet details, and two-factor authentication (2FA) browser extensions. Once the targeted data is obtained, it is exfiltrated to a command-and-control (C2) server via HTTP POST requests using the user agent “TeslaBrowser/5.5.” Additionally, Lumma Stealer features a non-resident loader capable of delivering additional payloads via EXE, DLL, and PowerShell. 

The malware employs various deceptive distribution methods to infiltrate systems. Recent campaigns have used fake CAPTCHA verification pages, where users are tricked into executing malicious PowerShell commands disguised as legitimate human verification steps. Other tactics include distributing the malware through telegram channels offering pirated software, torrents with pirated TV shows, and YouTube videos promoting cracked software.

These methods exploit user trust and the popularity of certain platforms to propagate the malware effectively. The persistent and evolving nature of Lumma Stealer underscores the importance of robust cybersecurity measures, including user education, up-to-date antivirus solutions, and cautious interaction with unsolicited offers.

Lumma Stealer-LummaC2-4.png

Lumma Stealer-LummaC2-4.png

KongTuke/WarmCookie/BadSpace

Kongtuke, also known as WarmCookie or BadSpace, is a backdoor malware that emerged in mid-2024, primarily targeting Windows systems. It is distributed through compromised high-ranking websites, often masquerading as legitimate browser updates to deceive users into downloading malicious payloads. The malware employs a multi-stage infection chain, beginning with the injection of malicious code into reputable websites, frequently built on platforms such as WordPress.

When a user visits an infected site, a script collects device information and may present a fake browser update prompt. If the user proceeds, a JScript downloader is executed, which then deploys the WarmCookie backdoor onto the victim’s system.

Once installed, WarmCookie establishes persistence through scheduled tasks and employs various anti-sandbox techniques to evade detection. It dynamically resolves APIs and decrypts strings at runtime using RC4 encryption, complicating analysis. The backdoor is capable of executing commands, reading and writing files, and capturing screenshots. It communicates with its command-and-control (C2) server via HTTP, using a combination of RC4 and Base64 encoding to protect its network traffic. This infrastructure has been linked to the SocGholish threat actor, known for using fake updates and JavaScript files in their campaigns.

KongTuke-WarmCookie-BadSpace-5.png

KongTuke-WarmCookie-BadSpace-5.png

New ConnectWise SIEM signatures

A couple of new ConnectWise SIEM detection signatures were added in December 2024. These include:

  • [CRU][Windows] Suspicious PowerShell Execution by SSH

Techniques detected: [T1059.001] Command and Scripting Interpreter: PowerShell, [T1021.004] - Remote Services: SSH

Description: This alert triggers when ssh.exe is the parent process of a PowerShell process. This is not a common activity, and threat actors have been observed using SSH.exe to execute PowerShell commands to accomplish various objectives. Pay attention to the PowerShell activity occurring to validate this activity.

  • [Windows] Potential SAM Registry Hive Access via svchost.exe

Techniques detected: [T1003.002] OS Credential Dumping: Security Account Manager

Description: To detect Event ID 4656 related to SAM registry hive dumping, ensure object access auditing is enabled. Enable the “Audit SAM” policy and configure the SACL on the SAM registry key (HKLM\SAM). Set auditing to monitor both successful and failed access attempts and ensure the “everyone” security principal has the correct audit settings. This detection identifies attempts to access the SAM registry hive via svchost.exe, which contains sensitive credentials.

Recommended