
Shadow Code Campaign: North Korean Hackers Target Developers with Malicious NPM Packages
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1027-Obfuscated Files or Information
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^). Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding. | |||
Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). | |||
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. File-based signatures may be capable of detecting code obfuscation depending on the methods used.[177][178][179] | |||
Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[178] | |||
Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[177] | |||
Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. | |||
Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^). Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters. | |||
Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads. | |||
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads. |