
ShadowExtension: Chrome-Based BlackStink Campaign Targets Latin American Banks
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
T1056.001 – Input Capture: Keylogging
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
|
Monitor executed commands and arguments associated with modifications to variables and files associated with loading shared libraries such as LD_PRELOAD on Linux and DYLD_INSERT_LIBRARIES on macOS. |
|||
|
Monitor for unusual kernel driver installation activity. Analytic 1 - Unexpected kernel driver installations. index=security sourcetype="WinEventLog:System" EventCode=7045 | where match(Service_Name, "(?i)(keylogger|input|capture|sniff|monitor|keyboard|logger|driver)") |
|||
|
Monitor for newly constructed files that are added to absolute paths of shared libraries such as LD_PRELOAD on Linux (such as /etc/ld.so.preload) and DYLD_INSERT_LIBRARIES on macOS. |
|||
|
Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState. |
T1552.001-Unsecured Credentials: Credentials In Files
| ID | Data Source | Data Component | Detects |
|---|---|---|---|
|
Monitor executed commands and arguments of executing processes for suspicious words or regular expressions that may indicate searching for a password (for example: password, pwd, login, secure, or credentials). Analytic 1 - Commands indicating credential searches in files. (index=security sourcetype="Powershell" EventCode=4104 CommandLine="password" OR CommandLine="credential") OR(index=sysmon sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 CommandLine="password" OR CommandLine="credential") OR(index=os sourcetype="linux_audit" action="execve" CommandLine="password" OR CommandLine="credential") |