Charcoal Stork

Analysis

The birth of Charcoal Stork

Charcoal Stork is a suspected pay-per-install (PPI) provider that first drew our attention in 2022 when it began delivering ChromeLoader. In the months since, we have observed this initial access threat deliver multiple payloads, including SmashJacker and VileRAT, and research from other vendors suggests several other payloads have been observed as well. Throughout 2023 Charcoal Stork was far and away the most prevalent threat we detected, easily placing in the top spot of our annual prevalence rankings.

We first noticed Charcoal Stork in 2022 when ChromeLoader, a browser hijacker that also cracked our top 10 in 2023, first appeared in the wild. Following Tony Lambert’s signature “Cotton-Eye Joe” approach to analyzing threats, we looked at ChromeLoader and asked ourselves “Where did you come from?” Pulling that thread led us to an interesting pattern of files masquerading as cracked games and software or wallpaper downloads. The same hash would appear on VirusTotal with many different filenames, including the common name of your file is ready to download.

Early Charcoal Stork samples were ISO files with payloads leading to multiple phases, including a NodeJS-based app and PowerShell commands to achieve persistence and install ChromeLoader. Public reporting captured this entire sequence of activity as ChromeLoader, however, internally we tracked the initial lure and dropper separately from the payload, in order to determine if there might be multiple actors involved. Tracking browser hijackers might not sound glamorous but the sheer volume and success of delivery from Charcoal Stork could not be ignored.

Special deliveries

In 2023, Charcoal Stork payloads began to evolve in ways that provided additional insight into how these pieces were related. In addition to the ISO files delivered in 2022, we observed Charcoal Stork delivering a variety of file types, including VBS files in late 2022 and early 2023, and MSI and EXE files later in 2023.

Starting in March we saw a new payload named SmashJacker by researchers at ConnectWise. Analysis of SmashJacker and ChromeLoader MSI files delivered via concurrent Charcoal Stork campaigns showed several distinctions that led us to suspect Charcoal Stork is a pay-per-install (PPI) provider, responsible for the file naming and SEO and/or malvertising to get the click. Namely, ChromeLoader’s MSI was built using Advanced Installer and it installed a NodeJS application in order to deliver a malicious browser extension. SmashJacker was not built with Advanced Installer and instead installs a trojanized version of 7zip, which installs the malicious extension.

In August 2023 we saw Charcoal Stork deliver EXE files leading to more concerning malware such as VileRat, a Python RAT which is reportedly uniquely used by DeathStalker. Previous reporting states that DeathStalker is highly targeted to financial tech. However, Red Canary observed a Charcoal Stork campaign delivering VileRat that affected several dozen organizations across a broad range of industries. Around this time, we also noticed a phasing out of the your file is ready to download name in favor of the more generic name install.

Charcoal Stork campaigns are distinguished by the same binary hash appearing under many different names. In 2023, we detected an average of 11 different victims per unique Charcoal Stork hash. However, in one campaign we detected the same hash in over 200 different victim environments. The success of these campaigns is likely due to the variety of lures, ranging from popular games or streaming options (we observed multiple NFL live stream-themed lures around the start of football season) to wallpaper or other popular download items.

Here is a small sample of the variety of filenames we observed for a single hash during a campaign:

• 5000x3533 technology wallpaper (1).exe
• where in the world is carmen sandiego deluxe.exe
• 1920x1080 sage green wallpaper in 2021. sage gr...exe
• 1036x1280 mahadev hd amoled wallpaper__.exe
• winnie-the-pooh_ blood and honey.exe
• sin confirmar 432628.crdownload
• your file is ready to download (1).msi
• The_social_dilemma_2020_1080p_nf_webrip_ddp5_1____.exe
• portfolio ___.1natazgl.exe.part
• portfolio ___.exe
• bluey font (1).exe
• portfolio ___(1).exe
• bluey font.exe
• file_ fallout_v2_1_0_18_zip                    ___ (1).exe
• barbie (1).exe
• carolina panthers live stream.exe
• scarlip - no statements ( instrumental ).exe
• carolina panthers live stream (1).exe
• how to make a living trading foreign exchange p___.exe
• top gear uk  season 10eps10.tmp
• 736x1104 coachella 2018 wallpaper.tmp
• install (4).exe
• install (3).exe

Making sense of grey areas

Our understanding of Charcoal Stork continues to evolve. We have observed this threat exhibit massive spikes in activity during active campaigns, followed by lulls when we are uncertain where it has gone. The majority of the Charcoal Stork threats we detected in 2023 came in April and September, and while we continued to see a lower volume of activity through the end of the year, it has mostly been related to older campaigns. We spoke about some of our intelligence gaps regarding this threat in our September 2023 Intelligence Insights, and we want to echo that call for collaboration:

If you are also tracking an aspect of Charcoal Stork, we would appreciate the opportunity to collaborate as we seek to better understand this threat. (Please send us an email!)

Despite our many gaps, Charcoal Stork was far and away our most prevalent threat in 2023, nearly three times more than the next most common threat. This emphasizes the importance of continuing to track this cluster.