
Digital Pickpockets: Inside the Massive Malware Campaign Targeting Magento
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION REF
T1189-Drive-by Compromise
ID | Data Source | Data Component | Detects |
Firewalls and proxies can inspect URLs for potentially known-bad domains or parameters. They can also do reputation-based analytics on websites and their requested resources such as how old a domain is, who it's registered to, if it's on a known bad list, or how many other users have connected to it before. | |||
Monitor for newly constructed files written to disk to gain access to a system through a user visiting a website over the normal course of browsing. | |||
Monitor for newly constructed network connections to untrusted hosts that are used to send or receive data. | |||
Monitor for other unusual network traffic that may indicate additional tools transferred to the system. Use network intrusion detection systems, sometimes with SSL/TLS inspection, to look for known malicious scripts (recon, heap spray, and browser identification scripts have been frequently reused), common script obfuscation, and exploit code. | |||
Look for behaviors on the endpoint system that might indicate successful compromise, such as abnormal behaviors of browser processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution, or evidence of Discovery. |
T1056-Input Capture
ID | Data Source | Data Component | Detects |
Monitor for unusual kernel driver installation activity | |||
Monitor for changes made to files for unexpected modifications to access permissions and attributes | |||
Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [7] | |||
Monitor for newly executed processes conducting malicious activity | |||
Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. | |||
Monitor for changes made to windows registry keys or values for unexpected modifications |
T1567-Exfiltration Over Web Service (T1567)
ID | Data Source | Data Component | Detects |
Review logs for SaaS services, including Office 365 and Google Workspace, to detect the configuration of new webhooks or other features that could be abused to exfiltrate data. | |||
Monitor executed commands and arguments that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. | |||
Monitor for files being accessed by an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. | |||
Monitor for newly constructed network connections to web and cloud services associated with abnormal or non-browser processes. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |