Detecting Snake Malware

Detecting Snake Malware Using Cb Response

Keith McCammon, Chief Security Officer

Several days ago, researchers at Fox-IT announced the porting of the Snake malware framework from Windows to the Mac platform. Detecting Snake malware may be difficult as Snake is a relatively complex framework that includes persistence, information stealing, and communications modules among other capabilities. Given this information, we had a need to look retrospectively across our customer base to identify … Read More

Detecting and Combating Advanced Threats

Detecting and Combating Advanced Attacks: a Global Not-for-Profit’s Defense Strategy

Cory Bowline

Everyone knows advanced threats are extremely difficult to defend against. Nothing earth-shattering there. They leverage sophisticated tactics, techniques, and procedures (TTPs) to covertly harvest sensitive data, and are characterized by their ability to avoid detection. Most organizations say they are concerned about advanced attackers, but also question if they would ever be a target. But what about the organizations that … Read More

Windows Registry Attacks

Windows Registry Attacks: Knowledge Is the Best Defense

Andy Rothman

Let’s talk about the Windows registry…yes, that mysterious and oh-so-dangerous piece of the Windows operating system that we were warned against messing with from the moment we booted up our first PC. Turns out, the Windows registry is not as scary as everyone makes it out to be. Granted, if you do not know what you are doing, there is ample … Read More

Verclsid.exe: Red Canary Threat Detection #1737

Old Phishing Attacks Deploy a New Methodology: Verclsid.exe

Keshia LeVan, Michael Haag

Phishing is not exactly a new or groundbreaking attack method, but it’s an ongoing problem (likely because it’s effective and we all need e-mail). A wave of Hancitor malware spam campaigns recently hit many organizations. It’s your typical pattern: a non-descriptively named Microsoft Word document sent with email subject lines like “USPS” or “eFax” using macros and heavily obfuscated VBScript … Read More

Whitelist Evasion Example

Whitelist Evasion Example: Threat Detection #723

Keshia LeVan

In my previous blog post on bypassing application whitelisting, I provided an overview of what application whitelisting is, why it’s effective, and how to look for signs that it’s being bypassed. Now, let’s dig deeper into a real-world example to illustrate what analysts and IT teams will see when monitoring endpoint behavior. Oftentimes when a built-in tool is being used … Read More

Threat Detection

Attacking a Mac: Threat Detection #392

Frank McClain

Everyone, please take a deep breath and say it with me: “Macs are invulnerable to compromise.” Everyone knows that’s true, right? Attacking a Mac is impossible. Okay, well perhaps most of the population thinks that, but we are part of the uber-elite cyber-warriors that know better. All systems are vulnerable. Our Macs only get popped when we want them to, … Read More

Ask Partner Network Compromise: Operational Lessons on Software Supply Chain Risk

Joe Moles

On 5 November, Red Canary detected suspicious activity associated with Windows applications distributed by the Ask Partner Network (a.k.a. APN,, or simply Ask). Upon further inspection, we discovered that Ask’s software was being co-opted by a malicious actor to execute malicious software on victims’ endpoints. Ask is self-described as providing “solutions to help software developers acquire and monetize users.” … Read More