redcanary.com
Open in
urlscan Pro
104.198.136.223
Public Scan
URL:
https://redcanary.com/threat-detection-report/threats/ta551/
Submission: On December 15 via api from US — Scanned from DE
Submission: On December 15 via api from US — Scanned from DE
Form analysis 3 forms found in the DOM
GET https://redcanary.com/
<form method="get" class="search-form" action="https://redcanary.com/" __bizdiag="115" __biza="WJ__"> <svg width="20" height="19" viewBox="0 0 20 19" fill="none" xmlns="http://www.w3.org/2000/svg">
<line x1="12.8839" y1="12.1161" x2="18.8839" y2="18.1161" stroke="black" stroke-width="2.5"></line>
<circle cx="7.5" cy="7.5" r="6.25" stroke="black" stroke-width="2.5"></circle>
</svg> <input id="input-search" class="search-input" name="s" type="text" placeholder="Search" autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false"> <input type="submit" class="search-btn" value=""></form><form id="mktoForm_1664" __bizdiag="196357541" __biza="WJ__" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 426px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="FirstName" id="LblFirstName" class="mktoLabel mktoHasWidth" style="width: 420px;">
<div class="mktoAsterix">*</div>First Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="FirstName" name="FirstName" placeholder="First Name" maxlength="255" aria-labelledby="LblFirstName InstructFirstName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 420px;"><span id="InstructFirstName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="LastName" id="LblLastName" class="mktoLabel mktoHasWidth" style="width: 420px;">
<div class="mktoAsterix">*</div>Last Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="LastName" name="LastName" placeholder="Last Name" maxlength="255" aria-labelledby="LblLastName InstructLastName" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 420px;"><span id="InstructLastName" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 420px;">
<div class="mktoAsterix">*</div>Email Address:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Email Address" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 420px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Company" id="LblCompany" class="mktoLabel mktoHasWidth" style="width: 420px;">
<div class="mktoAsterix">*</div>Company Name:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Company" name="Company" placeholder="Company Name" maxlength="255" aria-labelledby="LblCompany InstructCompany" type="text"
class="mktoField mktoTextField mktoHasWidth mktoRequired" aria-required="true" style="width: 420px;"><span id="InstructCompany" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Country" id="LblCountry" class="mktoLabel mktoHasWidth" style="width: 420px;">
<div class="mktoAsterix">*</div>Country:
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><select id="Country" name="Country" aria-labelledby="LblCountry InstructCountry" class="mktoField mktoHasWidth mktoRequired" aria-required="true" style="width: 420px;">
<option value="">Select Country...</option>
<option value="United States">United States</option>
<option value="Afghanistan">Afghanistan</option>
<option value="Aland Islands">Aland Islands</option>
<option value="Albania">Albania</option>
<option value="Algeria">Algeria</option>
<option value="Andorra">Andorra</option>
<option value="Angola">Angola</option>
<option value="Anguilla">Anguilla</option>
<option value="Antarctica">Antarctica</option>
<option value="Antigua and Barbuda">Antigua and Barbuda</option>
<option value="Argentina">Argentina</option>
<option value="Armenia">Armenia</option>
<option value="Aruba">Aruba</option>
<option value="Australia">Australia</option>
<option value="Austria">Austria</option>
<option value="Azerbaijan">Azerbaijan</option>
<option value="Bahamas">Bahamas</option>
<option value="Bahrain">Bahrain</option>
<option value="Bangladesh">Bangladesh</option>
<option value="Barbados">Barbados</option>
<option value="Belarus">Belarus</option>
<option value="Belgium">Belgium</option>
<option value="Belize">Belize</option>
<option value="Benin">Benin</option>
<option value="Bermuda">Bermuda</option>
<option value="Bhutan">Bhutan</option>
<option value="Bolivia, Plurinational State of">Bolivia, Plurinational State of</option>
<option value="Bonaire, Sint Eustatius and Saba">Bonaire, Sint Eustatius and Saba</option>
<option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option>
<option value="Botswana">Botswana</option>
<option value="Bouvet Island">Bouvet Island</option>
<option value="Brazil">Brazil</option>
<option value="British Indian Ocean Territory">British Indian Ocean Territory</option>
<option value="Brunei Darussalam">Brunei Darussalam</option>
<option value="Bulgaria">Bulgaria</option>
<option value="Burkina Faso">Burkina Faso</option>
<option value="Burundi">Burundi</option>
<option value="Cambodia">Cambodia</option>
<option value="Cameroon">Cameroon</option>
<option value="Canada">Canada</option>
<option value="Cape Verde">Cape Verde</option>
<option value="Cayman Islands">Cayman Islands</option>
<option value="Central African Republic">Central African Republic</option>
<option value="Chad">Chad</option>
<option value="Chile">Chile</option>
<option value="China">China</option>
<option value="Chinese Taipei">Chinese Taipei</option>
<option value="Christmas Island">Christmas Island</option>
<option value="Cocos (Keeling) Islands">Cocos (Keeling) Islands</option>
<option value="Colombia">Colombia</option>
<option value="Comoros">Comoros</option>
<option value="Congo">Congo</option>
<option value="Congo, the Democratic Republic of the">Congo, the Democratic Republic of the</option>
<option value="Cook Islands">Cook Islands</option>
<option value="Costa Rica">Costa Rica</option>
<option value="Cote d'Ivoire">Cote d'Ivoire</option>
<option value="Croatia">Croatia</option>
<option value="Cuba">Cuba</option>
<option value="Curaçao">Curaçao</option>
<option value="Cyprus">Cyprus</option>
<option value="Czech Republic">Czech Republic</option>
<option value="Denmark">Denmark</option>
<option value="Djibouti">Djibouti</option>
<option value="Dominica">Dominica</option>
<option value="Dominican Republic">Dominican Republic</option>
<option value="Ecuador">Ecuador</option>
<option value="Egypt">Egypt</option>
<option value="El Salvador">El Salvador</option>
<option value="Equatorial Guinea">Equatorial Guinea</option>
<option value="Eritrea">Eritrea</option>
<option value="Estonia">Estonia</option>
<option value="Ethiopia">Ethiopia</option>
<option value="Falkland Islands (Malvinas)">Falkland Islands (Malvinas)</option>
<option value="Faroe Islands">Faroe Islands</option>
<option value="Fiji">Fiji</option>
<option value="Finland">Finland</option>
<option value="France">France</option>
<option value="French Guiana">French Guiana</option>
<option value="French Polynesia">French Polynesia</option>
<option value="French Southern Territories">French Southern Territories</option>
<option value="Gabon">Gabon</option>
<option value="Gambia">Gambia</option>
<option value="Georgia">Georgia</option>
<option value="Germany">Germany</option>
<option value="Ghana">Ghana</option>
<option value="Gibraltar">Gibraltar</option>
<option value="Greece">Greece</option>
<option value="Greenland">Greenland</option>
<option value="Grenada">Grenada</option>
<option value="Guadeloupe">Guadeloupe</option>
<option value="Guatemala">Guatemala</option>
<option value="Guernsey">Guernsey</option>
<option value="Guinea">Guinea</option>
<option value="Guinea-Bissau">Guinea-Bissau</option>
<option value="Guyana">Guyana</option>
<option value="Haiti">Haiti</option>
<option value="Heard Island and McDonald Islands">Heard Island and McDonald Islands</option>
<option value="Holy See (Vatican City State)">Holy See (Vatican City State)</option>
<option value="Honduras">Honduras</option>
<option value="Hungary">Hungary</option>
<option value="Iceland">Iceland</option>
<option value="India">India</option>
<option value="Indonesia">Indonesia</option>
<option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option>
<option value="Iraq">Iraq</option>
<option value="Ireland">Ireland</option>
<option value="Isle of Man">Isle of Man</option>
<option value="Israel">Israel</option>
<option value="Italy">Italy</option>
<option value="Jamaica">Jamaica</option>
<option value="Japan">Japan</option>
<option value="Jersey">Jersey</option>
<option value="Jordan">Jordan</option>
<option value="Kazakhstan">Kazakhstan</option>
<option value="Kenya">Kenya</option>
<option value="Kiribati">Kiribati</option>
<option value="Korea, Democratic People's Republic of">Korea, Democratic People's Republic of</option>
<option value="Korea, Republic of">Korea, Republic of</option>
<option value="Kuwait">Kuwait</option>
<option value="Kyrgyzstan">Kyrgyzstan</option>
<option value="Lao People's Democratic Republic">Lao People's Democratic Republic</option>
<option value="Latvia">Latvia</option>
<option value="Lebanon">Lebanon</option>
<option value="Lesotho">Lesotho</option>
<option value="Liberia">Liberia</option>
<option value="Libyan Arab Jamahiriya">Libyan Arab Jamahiriya</option>
<option value="Liechtenstein">Liechtenstein</option>
<option value="Lithuania">Lithuania</option>
<option value="Luxembourg">Luxembourg</option>
<option value="Macao">Macao</option>
<option value="Macedonia, the former Yugoslav Republic of">Macedonia, the former Yugoslav Republic of</option>
<option value="Madagascar">Madagascar</option>
<option value="Malawi">Malawi</option>
<option value="Malaysia">Malaysia</option>
<option value="Maldives">Maldives</option>
<option value="Mali">Mali</option>
<option value="Malta">Malta</option>
<option value="Martinique">Martinique</option>
<option value="Mauritania">Mauritania</option>
<option value="Mauritius">Mauritius</option>
<option value="Mayotte">Mayotte</option>
<option value="Mexico">Mexico</option>
<option value="Moldova, Republic of">Moldova, Republic of</option>
<option value="Monaco">Monaco</option>
<option value="Mongolia">Mongolia</option>
<option value="Montenegro">Montenegro</option>
<option value="Montserrat">Montserrat</option>
<option value="Morocco">Morocco</option>
<option value="Mozambique">Mozambique</option>
<option value="Myanmar">Myanmar</option>
<option value="Namibia">Namibia</option>
<option value="Nauru">Nauru</option>
<option value="Nepal">Nepal</option>
<option value="Netherlands">Netherlands</option>
<option value="New Caledonia">New Caledonia</option>
<option value="New Zealand">New Zealand</option>
<option value="Nicaragua">Nicaragua</option>
<option value="Niger">Niger</option>
<option value="Nigeria">Nigeria</option>
<option value="Niue">Niue</option>
<option value="Norfolk Island">Norfolk Island</option>
<option value="Norway">Norway</option>
<option value="Oman">Oman</option>
<option value="Pakistan">Pakistan</option>
<option value="Palestinian Territory, Occupied">Palestinian Territory, Occupied</option>
<option value="Panama">Panama</option>
<option value="Papua New Guinea">Papua New Guinea</option>
<option value="Paraguay">Paraguay</option>
<option value="Peru">Peru</option>
<option value="Philippines">Philippines</option>
<option value="Pitcairn">Pitcairn</option>
<option value="Poland">Poland</option>
<option value="Portugal">Portugal</option>
<option value="Qatar">Qatar</option>
<option value="Reunion">Reunion</option>
<option value="Romania">Romania</option>
<option value="Russian Federation">Russian Federation</option>
<option value="Rwanda">Rwanda</option>
<option value="Saint Barthélemy">Saint Barthélemy</option>
<option value="Saint Helena, Ascension and Tristan da Cunha">Saint Helena, Ascension and Tristan da Cunha</option>
<option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option>
<option value="Saint Lucia">Saint Lucia</option>
<option value="Saint Martin (French part)">Saint Martin (French part)</option>
<option value="Saint Pierre and Miquelon">Saint Pierre and Miquelon</option>
<option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option>
<option value="Samoa">Samoa</option>
<option value="San Marino">San Marino</option>
<option value="Sao Tome and Principe">Sao Tome and Principe</option>
<option value="Saudi Arabia">Saudi Arabia</option>
<option value="Senegal">Senegal</option>
<option value="Serbia">Serbia</option>
<option value="Seychelles">Seychelles</option>
<option value="Sierra Leone">Sierra Leone</option>
<option value="Singapore">Singapore</option>
<option value="Sint Maarten (Dutch part)">Sint Maarten (Dutch part)</option>
<option value="Slovakia">Slovakia</option>
<option value="Slovenia">Slovenia</option>
<option value="Solomon Islands">Solomon Islands</option>
<option value="Somalia">Somalia</option>
<option value="South Africa">South Africa</option>
<option value="South Georgia and the South Sandwich Islands">South Georgia and the South Sandwich Islands</option>
<option value="South Sudan">South Sudan</option>
<option value="Spain">Spain</option>
<option value="Sri Lanka">Sri Lanka</option>
<option value="Sudan">Sudan</option>
<option value="Suriname">Suriname</option>
<option value="Svalbard and Jan Mayen">Svalbard and Jan Mayen</option>
<option value="Swaziland">Swaziland</option>
<option value="Sweden">Sweden</option>
<option value="Switzerland">Switzerland</option>
<option value="Syrian Arab Republic">Syrian Arab Republic</option>
<option value="Tajikistan">Tajikistan</option>
<option value="Tanzania, United Republic of">Tanzania, United Republic of</option>
<option value="Thailand">Thailand</option>
<option value="Timor-Leste">Timor-Leste</option>
<option value="Togo">Togo</option>
<option value="Tokelau">Tokelau</option>
<option value="Tonga">Tonga</option>
<option value="Trinidad and Tobago">Trinidad and Tobago</option>
<option value="Tunisia">Tunisia</option>
<option value="Turkey">Turkey</option>
<option value="Turkmenistan">Turkmenistan</option>
<option value="Turks and Caicos Islands">Turks and Caicos Islands</option>
<option value="Tuvalu">Tuvalu</option>
<option value="Uganda">Uganda</option>
<option value="Ukraine">Ukraine</option>
<option value="United Arab Emirates">United Arab Emirates</option>
<option value="United Kingdom">United Kingdom</option>
<option value="Uruguay">Uruguay</option>
<option value="Uzbekistan">Uzbekistan</option>
<option value="Vanuatu">Vanuatu</option>
<option value="Venezuela, Bolivarian Republic of">Venezuela, Bolivarian Republic of</option>
<option value="Viet Nam">Viet Nam</option>
<option value="Virgin Islands, British">Virgin Islands, British</option>
<option value="Wallis and Futuna">Wallis and Futuna</option>
<option value="Western Sahara">Western Sahara</option>
<option value="Yemen">Yemen</option>
<option value="Zambia">Zambia</option>
<option value="Zimbabwe">Zimbabwe</option>
</select><span id="InstructCountry" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderHtmlText_2020-07-24T21 491Z"></div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow">
<fieldset class="mktoFormCol" style="padding-right: 5px; margin-bottom: 5px;">
<legend></legend>
<div class="mktoFormRow">
<div class="mktoPlaceholder mktoPlaceholderMarketing_Opt_In__c"></div>
<div class="mktoPlaceholder mktoPlaceholderHtmlText_2020-07-24T21 343Z"></div>
<div class="mktoClear"></div>
</div>
</fieldset>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="mktoUTMContent" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="mktoUTMMedium" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="mktoUTMCampaign" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="mktoUTMTerm" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="mktoUTMSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="GCLID__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Country__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Industry__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Location_Type__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Name__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Phone__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Revenue_Range__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Size_Exact__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_State__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Website__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Zipcode__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Confidence_Description__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Confidence_Level__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Enrichment_Status__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Matching_Confidence_Level__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Department__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Email__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_First_Name__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Last_Name__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Level__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Original_Email_Verification__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Phone__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Title__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Verification_Source__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Person_Verification_Status__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="lSSystemStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="lSUpdated" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="LS_Company_Size_Range__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">ACCESS THE REPORT</button></span></div><input type="hidden" name="formid" class="mktoField mktoFieldDescriptor"
value="1664"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="003-YRU-314">
</form><form __bizdiag="-933950621" __biza="WJ__" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft"
style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Now available! The 2021 Gartner® Market Guide for MDR Services. Get your complimentary copy 2021Threat Detection Report Demo * Techniques * Threats * Beats * Archive * Download Report Additional Research * Windows Admin Shares * Remote File Copy * Scripting * DLL Search Order Hijacking * Domain Trust Discovery * Disabling Security Tools * Credential Dumping * Windows Management Instrumentation * Spearphishing Attachment Past Reports * 2020 * 2019 * Top 10 Threats * #1 TA551 * #2 Cobalt Strike * #3 Qbot * #4 IcedID * #5 Mimikatz * * #6 Shlayer * #7 Dridex * #8 Emotet * #9 TrickBot * #10 Gamarue Other threats * Ransomware * Bazar * Blue Mockingbird * Yellow Cockatoo * Solorigate and beyond * Top 10 Techniques * #1 Command and Scripting Interpreter * #2 Signed Binary Proxy Execution * #3 Create or Modify System Process * #4 Scheduled Task/Job * #5 OS Credential Dumping * * #6 Process Injection * #7 Obfuscated Files or Information * #8 Ingress Tool Transfer * #9 System Services * #10 Masquerading * Security Operations Platform * MDR for Endpoints * MDR for Infrastructure * Atomic Red Team™ * Red Canary for IR Consultants * Red Canary for Microsoft MSPs Product Demo Request a Demo to see how Red Canary helps you shut down attacks. * EDR Deployment * EDR Migration * Linux Security * Alert Triage * Managed Detection and Response * Post-Breach Response Analyst Report Named a leader in MDR * View All Resources * Blog * Guides & Overviews * Case Studies * Videos * Webinars * Events * Customer Help Center Blog Sharpen your skills with the latest information, security articles, and insights. * About Us * Why Red Canary * News & Press * Careers - We're Hiring! * Contact Us Contact Us How can we help you? Reach out to our team and we'll get in touch. * Liner Notes * Side 1: Techniques * Side 2: Threats * Bonus Tracks: Other Threats * Techniques * Threats * Beats * Download Report Demo Share THREAT TA551 TA551, also known as Shathak, is a threat group that uses large-scale phishing campaigns to deliver additional malware payloads. IcedID and Valak were the predominant payloads we observed with TA551 phishing campaigns in 2020. Pairs with this song #1 OVERALL RANK 15.5% CUSTOMERS AFFECTED * Analysis * Detection Opportunities THREAT SOUNDS ANALYSIS TA551 was the most prevalent threat Red Canary encountered in 2020 by a wide margin. Its pervasiveness was revealed not only in the volume of detections, but in the number of organizations affected across multiple industries and company sizes. The preeminence of TA551 is due in part to our depth of detection coverage for it: throughout 2020, 55 distinct detection analytics triggered on activity that we’ve associated with TA551. TA551 also took the top spot due to our ability to detect it in the earliest stages of initial access through patterns in malicious attachments. Approximately two-thirds of TA551 detections we observed didn’t progress beyond opening the malicious attachment. To understand how an organization can be part of the two-thirds that didn’t get infected with the next stage of malware, let’s take a look at the progression of a TA551 attack. INITIAL ACCESS TA551 gains initial access via macro-laden Microsoft Word documents delivered within a password-protected ZIP archive attached to a phishing email. Wrapping malicious attachments within password-protected archives enables these messages to bypass many mail protection filters by preventing direct analysis of the malicious files. This technique has become more common in recent years, as it increases the likelihood that the phishing message will make it to a user’s inbox. While TA551 varies the filenames for these ZIP archives, including targeted names tailored to the recipient’s organization, in many cases the name was either request.zip or info.zip. THE DROP After opening the archive using a password provided within the email body, the recipient is presented with a Word document containing malicious macros. This is the dropper, designed to download additional malware from an adversary-controlled site. This is a crucial point for organizations with a defense-in-depth strategy; many of our TA551 detections progressed no further than the opening of this malicious document. Why? Because organizations that have implemented a restrictive macro policy disrupt this attack by preventing the execution of malicious code. Such a policy is the primary distinction between the two-thirds of detections that stopped here and the one-third that progressed to the more impactful stages of the attack. THE MACRO FACTOR For a variety of reasons, many organizations and users do allow macros to run. In these cases, the macro will result in a network connection to attempt to download the next stage of the malware. Herein lies another example of a defense-in-depth strategy that may disrupt the attack: a web proxy that inspects network traffic may block access to the domain hosting the malicious payload. In some cases, we observed a network connection and creation of an empty file as a result of the attempted download, but because the malicious content was prevented from being downloaded, the attack chain ended there. DLL INSTALLATION If a macro policy doesn’t prevent the code from running and a web proxy doesn’t prevent the next payload from being downloaded, a new malware family will likely execute. TA551 typically transitions from the initial access phase to malware execution via a DLL installer. There have been several variations in how the DLL installer payload was downloaded (see T1105: Ingress Tool Transfer). In some cases, Microsoft Word downloaded the file directly. Other cases leveraged renamed system utilities certutil.exe or mshta.exe to further distance the payload from the dropper. The downloaded DLL file typically masqueraded as well, using a variety of different non-DLL extensions to attempt to blend in—we’ve seen .dat, .jpg, .pdf, .txt, and even .theme file extensions. Despite these attempts to masquerade (and sometimes because of them), our detection analytics repeatedly triggered when the payload was executed. For most of 2020, this execution was done via regsvr32.exe; however, near the end of the year this was replaced with the use of rundll32.exe. While far from the only threat to use these T1218: Signed Binary Proxy Execution sub-techniques, it is no coincidence that T1218 was the second-most prevalent technique we observed in 2020. PAYLOAD Once the DLL installer runs, the next stage of malware begins. TA551 has delivered various payloads over the years: * In 2019 and early 2020, Ursnif and Zloader were common payloads * In mid-2020, TA551 favored delivering Valak as a first-stage and IcedId as a second-stage payload for a few months * By mid-July 2020, TA551 stopped using Valak and exclusively delivered IcedID (our fourth most prevalent threat) as its first-stage payload through the end of the year * In January 2021, after a brief holiday hiatus, TA551 campaigns returned with a new notable payload: Qbot (our third most prevalent threat) Our understanding of this threat is still evolving, as is the relationship between TA551’s initial access and the post-exploitation goals of the later-stage malware. For another perspective on TA551, check out this post from Unit 42 and follow Brad Duncan on Twitter, who has helped us better understand this threat. DETECTION OPPORTUNITIES DETECTION OPPORTUNITY 1 Winword spawning regsvr32.exe ATT&CK technique(s): T1218.010 Signed Binary Proxy Execution: Regsvr32 ATT&CK tactic(s): Defense Evasion, Initial Access Details: TA551 transitions from initial access to execution via a defense evasion tactic leveraging the Microsoft-signed binary regsvr32.exe. While the use of a signed binary may try to blend in with typical running processes, the unusual parent-child relationship between winword.exe and regsvr32.exe provides a detection opportunity from an endpoint perspective. It is extremely unusual to see Word executing regsvr32.exe; this is almost always indicative of a malicious macro. In the example below, 84925290.dat is actually a DLL file masquerading as a data (DAT) file. More on that in Detection opportunity 3 below. DETECTION OPPORTUNITY 2 Renamed Windows system binary mshta.exe spawned from WMI and making external network connections ATT&CK technique(s): T1218.005 Signed Binary Proxy Execution: Mshta, T1036.003 Masquerading: Rename System Utilities ATT&CK tactic(s): Defense Evasion, Execution Details: TA551 changed its macro execution during 2020, evading the first detection opportunity by leveraging Windows Management Instrumentation (WMI) to break the parent-child process lineage from winword.exe. Instead of downloading the installer DLL directly via the macro, TA551 leveraged a Microsoft HTML Application (HTA) file to retrieve the malicious payload. Not only that, the adversaries took the extra step to rename mshta.exe in an attempt to masquerade this activity. Despite these efforts at evasion, this activity actually represents three detection opportunities in one! Evaluating process hashes and/or internal binary metadata is a must when masquerading is in play. When a legitimate file has been renamed, identifying a mismatch between the expected filename and the observed filename often leads to high-fidelity detection. In this case, once we’ve unmasked mshta.exe, two more detection opportunities arise from an understanding of typical behavior for this binary. The relationship of wmiprvse.exe as the parent process to mshta.exe is also highly unusual, and a high-fidelity detection opportunity. Similarly, an external network connection from mshta.exe is unusual behavior that may draw attention to this process execution. For those of you detecting at home, note that none of this would have been possible if our detection coverage relied solely on the filename of mshta.exe to be accurate. DETECTION OPPORTUNITY 3 Regsvr32 attempting to register a file without a .dll extension ATT&CK technique(s): T1218.010 Signed Binary Proxy Execution: Regsvr32, T1036.003 Masquerading ATT&CK tactic(s): Defense Evasion Details: While the first two detection opportunities focused on how TA551 delivered the malicious installer DLL, our third detection opportunity focuses on how that payload is executed. Continuing with the masquerading theme, TA551 prefers to disguise its malicious code as a more benign file type such as a JPG or PDF. While this might foil a defender looking for executable file extensions to analyze, this masquerading trick again results in a detection opportunity with endpoint monitoring due to abnormal process behavior. It is highly unusual for regsvr32, a tool designed to register and unregister object linking and embedding controls on Windows systems, to register files with these extensions. While there are some legitimate exceptions you may need to tune out in your environment, regsvr32 typically acts upon files with a .dll extension. DETECTION STRATEGIST JEFF FELLING PRINCIPAL INTELLIGENCE ANALYST Jeff Felling is a puzzle solver who currently contemplates the conundrums confounding corporate computer custodians, aka a threat hunter. After nearly a dozen years analyzing anomalies, foraging for forensic artifacts, and mulling over malware for the DoD, Jeff returned home to Indiana in 2016 where he helped create Anthem, Inc.’s threat hunting program, ORION, prior to joining Red Canary in April 2019. Jeff holds degrees in mathematics from Johns Hopkins University (MS) and Purdue University (BS), and is certified in security, incident handling, and forensic analysis through SANS. Jeff Felling is a puzzle solver who currently contemplates the conundrums confounding corporate computer custodians, aka a threat hunter. After nearly a dozen years analyzing anomalies, foraging for forensic artifacts, and mulling over malware for the DoD, Jeff returned home to Indiana in 2016 where he helped create Anthem, Inc.’s threat hunting program, ORION, prior to joining Red Canary in April 2019. Jeff holds degrees in mathematics from Johns Hopkins University (MS) and Purdue University (BS), and is certified in security, incident handling, and forensic analysis through SANS. Top Threats #2 Cobalt Strike RELATED RESOURCES February 9, 2021 Catch me if you code: how to detect process masquerading October 28, 2020 Testing adversary technique variations with AtomicTestHarnesses SEE WHAT IT'S LIKE TO HAVE A PARTNER IN THE FIGHT. EXPERIENCE THE DIFFERENCE BETWEEN A SENSE OF SECURITY AND ACTUAL SECURITY. Demo * * * * Products * Security Operations Platform * MDR for Endpoints * MDR for Infrastructure * Atomic Red Team™ * Red Canary for IR Consultants * Red Canary for Microsoft MSPs * Solutions * EDR Deployment * EDR Migration * Linux Security * Alert Triage * Managed Detection and Response * Post-Breach Response * Resources * View all Resources * Blog * Guides & Overviews * Case Studies * Videos * Webinars * Events * Customer Help Center * Newsletter * Company * About Us * Why Red Canary * News & Press * Careers – We’re Hiring! * Contact Us © 2014-2021 Red Canary. All rights reserved. info@redcanary.com +1 855-977-0686 Privacy Policy DOWNLOAD THE REPORT All 2021 Threat Detection Report content is fully available through this website. If you prefer to download a PDF, just fill out this form and let us know what email to send it to. * First Name: * Last Name: * Email Address: * Company Name: * Country: Select Country...United StatesAfghanistanAland IslandsAlbaniaAlgeriaAndorraAngolaAnguillaAntarcticaAntigua and BarbudaArgentinaArmeniaArubaAustraliaAustriaAzerbaijanBahamasBahrainBangladeshBarbadosBelarusBelgiumBelizeBeninBermudaBhutanBolivia, Plurinational State ofBonaire, Sint Eustatius and SabaBosnia and HerzegovinaBotswanaBouvet IslandBrazilBritish Indian Ocean TerritoryBrunei DarussalamBulgariaBurkina FasoBurundiCambodiaCameroonCanadaCape VerdeCayman IslandsCentral African RepublicChadChileChinaChinese TaipeiChristmas IslandCocos (Keeling) IslandsColombiaComorosCongoCongo, the Democratic Republic of theCook IslandsCosta RicaCote d'IvoireCroatiaCubaCuraçaoCyprusCzech RepublicDenmarkDjiboutiDominicaDominican RepublicEcuadorEgyptEl SalvadorEquatorial GuineaEritreaEstoniaEthiopiaFalkland Islands (Malvinas)Faroe IslandsFijiFinlandFranceFrench GuianaFrench PolynesiaFrench Southern TerritoriesGabonGambiaGeorgiaGermanyGhanaGibraltarGreeceGreenlandGrenadaGuadeloupeGuatemalaGuernseyGuineaGuinea-BissauGuyanaHaitiHeard Island and McDonald IslandsHoly See (Vatican City State)HondurasHungaryIcelandIndiaIndonesiaIran, Islamic Republic ofIraqIrelandIsle of ManIsraelItalyJamaicaJapanJerseyJordanKazakhstanKenyaKiribatiKorea, Democratic People's Republic ofKorea, Republic ofKuwaitKyrgyzstanLao People's Democratic RepublicLatviaLebanonLesothoLiberiaLibyan Arab JamahiriyaLiechtensteinLithuaniaLuxembourgMacaoMacedonia, the former Yugoslav Republic ofMadagascarMalawiMalaysiaMaldivesMaliMaltaMartiniqueMauritaniaMauritiusMayotteMexicoMoldova, Republic ofMonacoMongoliaMontenegroMontserratMoroccoMozambiqueMyanmarNamibiaNauruNepalNetherlandsNew CaledoniaNew ZealandNicaraguaNigerNigeriaNiueNorfolk IslandNorwayOmanPakistanPalestinian Territory, OccupiedPanamaPapua New GuineaParaguayPeruPhilippinesPitcairnPolandPortugalQatarReunionRomaniaRussian FederationRwandaSaint BarthélemySaint Helena, Ascension and Tristan da CunhaSaint Kitts and NevisSaint LuciaSaint Martin (French part)Saint Pierre and MiquelonSaint Vincent and the GrenadinesSamoaSan MarinoSao Tome and PrincipeSaudi ArabiaSenegalSerbiaSeychellesSierra LeoneSingaporeSint Maarten (Dutch part)SlovakiaSloveniaSolomon IslandsSomaliaSouth AfricaSouth Georgia and the South Sandwich IslandsSouth SudanSpainSri LankaSudanSurinameSvalbard and Jan MayenSwazilandSwedenSwitzerlandSyrian Arab RepublicTajikistanTanzania, United Republic ofThailandTimor-LesteTogoTokelauTongaTrinidad and TobagoTunisiaTurkeyTurkmenistanTurks and Caicos IslandsTuvaluUgandaUkraineUnited Arab EmiratesUnited KingdomUruguayUzbekistanVanuatuVenezuela, Bolivarian Republic ofViet NamVirgin Islands, BritishWallis and FutunaWestern SaharaYemenZambiaZimbabwe ACCESS THE REPORT THANKS FOR YOUR INTEREST! Check your inbox, the 2021 Threat Detection Report is headed your way. Our website uses cookies to provide you with a better browsing experience. More information can be found in our Privacy Policy. X Privacy & Cookies Policy Close PRIVACY OVERVIEW This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities... Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT