Monthly Threat Brief: December 2023

Posted:
01/24/2024
| By:
Bryson Medlock

Welcome to the latest edition of the monthly threat brief published by the ConnectWise Cyber Research Unit™ (CRU).

In this threat brief, we will provide raw data statistics, intel on specific threats, and a list of new detection signatures added to the ConnectWise SIEM™ throughout the month of December. For a more detailed explanation of the overall trends and analysis of these numbers, check out our annual and quarterly threat reports. For comparison, November’s threat brief can be found here.

December 2023 stats

IOCs

The CRU collects indicators of compromise (IOCs) from public open-source intelligence (OSINT) sources and any cybersecurity incident escalated by the ConnectWise security operations center (SOC). These IOCs are used for automated threat hunting and data enrichment to assist SOC analysts. Below is a summary of the IOCs collected. We intend to launch streaming threat feeds based on this data in 2024.

23-DMDG-1538-Figure1.png

Figure 1: Summary of IOCs collected in December 2023

TTPs

The CRU collects tactics, techniques, and procedures (TTPs) from all incidents escalated by the ConnectWise SOC. This information helps us keep tabs on how threat actor behavior changes.

Below are the top 10 MITRE ATT&CK® techniques for November—provided for comparison—and December 2023.

23-DMDG-1538-Figure2.png

Figure 2: Top 10 MITRE ATT&CK techniques observed in November 2023

23-DMDG-1538-Figure3.png

Figure 3: Top 10 MITRE ATT&CK techniques observed in December 2023

Latest threats

Each month, we highlight threats that we have seen targeting our MSP partners and their clients. This month, the ConnectWise SOC saw multiple incidents of GhostPulse and GootLoader—both are loaders used during initial access to download additional malware.

GhostPulse

GhostPulse, also known as HijackLoader, IDAT Loader, and Shadowladder, is a loader first observed in July 2023. It uses stealth techniques such as DLL Search Order Hijacking (T1574.001) and Process Doppelgänging (T1055.013).

GhostPulse frequently comes packaged as an installer with legitimate software. For example, this month, we have seen malicious installers for Notion, WebEx, and Zoom. Threat actors use SEO poisoning and malvertising to trick users into downloading the malicious version of common software. The installers will install the legitimate software they advertise, while GhostPulse installs in the background and then loads additional malware such as a remote admin tool or ransomware.

We saw an increase in malvertising and malicious installers of legitimate software in 2023 as a common method for initial access. When installing free software from the internet, it is important to know where your download is coming from and only download software directly from the vendor.

MITRE ATT&CK techniques

MITRE ATT&CK techniques-1.png

IOCs

IOCs-1.png

GootLoader

GootLoader is a first-stage loader that has been around since 2020, typically paired with the banking trojan GootKit. Like GhostPulse, GootLoader primarily uses SEO poisoning (T1608.006) to trick their victims into downloading malicious files.

The GootLoader campaigns we have observed specifically target law firms and impersonate legal documents such as contracts, subpoenas, or other legal forms. You can find the file names in IOCs below. GootLoader payloads are typically hosted on compromised WordPress sites. SEO poisoning is a common technique, and we strongly recommend not downloading any files from unknown sources.

MITRE ATT&CK techniques

MITRE ATT&CK techniques-2.png

IOC

IOCs-2.png

New ConnectWise SIEM signatures

Several new ConnectWise SIEM detection signatures were added in December 2023. These include:

  • [CRU][Windows] Executable launched from Perflogs directory

Technique detected: [T1204] User Execution

Description: The C:\PerfLogs directory is a hidden directory that’s, predictably, used to store logs that Windows collects about performance data viewable using the performance monitor. Malicious actors have been known to use this directory to store malicious artifacts. There should not be any executables running from this directory.

  • [CRU][Windows] Explicit DLL download using curl

Technique detected:  [T1105] Ingress Tool Transfer

Description: Curl is a utility for transferring data over network protocols. It is commonly used by malicious actors because a version of it is shipped natively with Windows, and it’s used commonly enough to potentially blend in with normal activity.

This event notification attempts to alert on curl being used to download a DLL file. This event notification will not trigger if the DLL file is masquerading as another file type or does not have a DLL file extension. Investigate the source of the curl process creation and the activities following the downloading of the DLL.

  • [CRU][O365] New Inbox Rule Created with Suspicious Name

Technique detected: [T1137.005] Office Application Startup: Outlook Rules

Description: In many Business Email Compromises (BEC) email forwarding rules will be created so that users are unaware of how their account is being used maliciously. Frequently these rules will be named with single characters. This event notification attempts to trigger on this suspicious behavior. Search for additional activity from the ClientIP creating the rule and follow the SessionID through other records via AppAccessContext.AADSessionId, SessionId, and DeviceProperties.SessionId fields.

  • [CRU][Windows] Invoke-Sharefinder Usage

Technique detected

Description: This alert triggers when activity is related to the Invoke-Sharefinder command from the PowerView toolkit. Invoke-Sharefinder is a function of PowerView that allows someone to discover and enumerate domain shares. Examine the Powershell block text for information related to the toolkit to validate this activity.

  • [CRU][Windows] MSDTC Service DLL Hijack - Suspicious DLL Creation

Technique detected: [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking

Description: The Microsoft Distributed Transaction Coordinator (MSDTC) service manages transactions with databases. It is open to DLL hijacking by searching for an oci.dll file that’s not included by default in the system32 directory. Attackers have been observed placing malicious oci.dll files in system32 in order to hijack this service for persistence. Review the process and user creating this file.

  • [CRU][Windows] MSDTC Service DLL Hijack - Suspicious Registry Manipulation

Technique detected: [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking

Description: The Microsoft Distributed Transaction Coordinator (MSDTC) service manages transactions with databases. It is open to DLL hijacking by searching for an oci.dll file that’s not included by default in the system32 directory. Attackers have been observed changing the default search path for this DLL by manipulating related registry values in order to execute malicious files. Review the process and user manipulating the registry and files in the path set for the registry value.

  • [CRU][Windows] LOLBin Microsoft.NodejsTools.PressAnyKey.exe Usage

Technique detected: [T1218] System Binary Proxy Execution

Description: This event notification detects Microsoft.NodejsTools.PressAnyKey.exe usage. While this is a legitimate binary that is part of the Node.JS Visual Studio toolkit, it can be used as a LOLBin to execute arbitrary binaries. The PressAnyKey binary will require at least three arguments, the first two of which can be any value and the third passed directly to ProcessStartInfo and executed. It’s important that any child processes launched are investigated for malicious intent.