
A Major Cyber Threat Emerges with 131 Malicious Chrome Extensions Targeting WhatsApp Web
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1176.001 Software Extensions: Browser Extensions
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for usage of the profiles tool, such as profiles install -type=configuration. Analytic 1 - Look for command-line activity tied to mobileconfig or extension deployment sourctype=WinEventLog:Sysmon EventCode=1(CommandLine="profiles install" OR CommandLine=".mobileconfig" OR CommandLine="chrome-extension")| stats count by CommandLine, Image, ParentImage, User, Computer, _time| sort -_time | |||
Monitor for - Newly written .crx, .xpi, or .mobileconfig files- Modified .plist files under /Library/Managed Preferences// (macOS)- Creation of extensions under: - Chrome: AppData\Local\Google\Chrome\User Data\Default\Extensions - Firefox: %APPDATA%\Mozilla\Firefox\Profiles*.default\extensions Analytic 1 - Detect newly written config files sourcetype=WinEventLog:Sysmon EventCode=11(TargetFilename="\Extensions\" OR TargetFilename=".crx" OR TargetFilename=".xpi" OR TargetFilename="*.mobileconfig")| stats count by TargetFilename, Image, User, Computer, _time| sort -_time | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts. | |||
Monitor for execution of chrome.exe, firefox.exe, or edge.exe with arguments like --load-extension, --pack-extension, or --disable-extensions-file-access-check.Monitor unexpected command-line installs or dev mode extensions Analytic 1 - browser execution sourcetype=WinEventLog:Sysmon EventCode=1(CommandLine="--load-extension" OR CommandLine="--pack-extension")| stats count by Image, CommandLine, User, host, _time| sort -_time | |||
Monitor for any new items written to the Registry or PE files written to disk. That may correlate with browser extension installation. Chrome extension registry keys under: HKCU\Software\Google\Chrome\ExtensionsFirefox entries under: HKCU\Software\Mozilla\Firefox\ExtensionsUnexpected changes or new GUIDs Analytic 1 - browser registry keys created sourcetype=WinEventLog:Sysmon EventCode=13(TargetObject="\Software\Google\Chrome\Extensions\" OR TargetObject="\Software\Mozilla\Firefox\Extensions\")| stats count by TargetObject, Details, User, Computer, _time| sort -_time |
T1204 — User Execution
ID | Data Source | Data Component | Detects |
Monitor logs from applications to detect user-initiated actions such as opening malicious documents, clicking on phishing links, or executing downloaded malware. Analytic 1 - Logs showing unexpected user actions triggering unusual processes. sourcetype=application_log EventCode=1000 OR EventCode=1001| search application IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe", "adobe.exe", "zip.exe")| stats count by application event_description| where event_description IN ("opened document", "clicked link", "executed file") | |||
Detect commands triggered by users, especially related to decompression tools (e.g., zip files) that may unpack malicious payloads. This includes compression applications, such as those for zip files, that can be used to Deobfuscate/Decode Files or Information in payloads. Analytic 1 - Command lines showing decompression or decoding actions. sourcetype=WinEventLog:Powershell EventCode=4104| search process_name IN ("powershell.exe", "cmd.exe", "zip.exe", "winrar.exe")| stats count by process_name command_line user| where command_line LIKE "%unzip%" OR command_line LIKE "%decode%" | |||
Monitor for newly constructed containers that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Analytic 1 - Containers communicating with unexpected external services. sourcetype=container_creation OR sourcetype=container_start| stats count by container_name event_description user| where container_name NOT IN ("") AND event_description IN ("created", "started") | |||
Monitor for the activation or invocation of a container (ex: docker start or docker restart) | |||
Anti-virus can potentially detect malicious documents and files that are downloaded and executed on the user's computer. Endpoint sensing or network sensing can potentially detect malicious events once the file is opened (such as a Microsoft Word document or PDF reaching out to the internet or spawning powershell.exe). | |||
Monitor for newly constructed image that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. | |||
Monitor for newly constructed instances that may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. | |||
Monitor for the activation or invocation of an instance (ex: instance.start within GCP Audit Logs) | |||
Monitor network traffic patterns associated with web-based user actions, such as clicking on phishing links or executing malware that tries to establish C2 communication. Analytic 1 - Web-based network connections to suspicious destinations. sourcetype=sysmon EventCode=3| search process_name IN ("winword.exe", "chrome.exe", "firefox.exe") | stats count by src_ip dest_ip dest_port process_name| where dest_ip NOT IN ("") | |||
Monitor and analyze traffic patterns and packet inspection associated with web-based network connections that are sent to malicious or suspicious destinations (e.g. destinations attributed to phishing campaigns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments (e.g. monitor anomalies in use of files that do not normally initiate network connections or unusual connections initiated by regsvr32.exe, rundll.exe, .SCF, HTA, MSI, DLLs, or msiexec.exe). | |||
Identify processes spawned by user actions, especially from Office documents, PDFs, or web browsers that could lead to malicious execution. Analytic 1 - Processes created from user interaction with files. ((sourcetype=WinEventLog:Security EventCode=4688) OR (sourcetype=Sysmon EventCode=1))| search parent_process IN ("winword.exe", "excel.exe", "chrome.exe", "firefox.exe")| stats count by parent_process process_name command_line user| where process_name NOT IN ("chrome.exe", "firefox.exe", "winword.exe", "excel.exe") |
T1059.007 — Command and Scripting Interpreter: JavaScript
ID | Data Source | Data Component | Detects |
Scripting execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programmable post-compromise behaviors and could be used as indicators of detection leading back to the source. Monitor for execution of JXA through osascript and usage of OSAScript API that may be related to other suspicious behavior occurring on the system. | |||
Monitor for the loading of modules associated with scripting languages (ex: JScript.dll). | |||
Monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving scripts | |||
Monitor for any attempts to enable scripts running on a system that would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
T1217 — Browser Information Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that could be taken to gather browser information, such as local files and databases (e.g., %APPDATA%/Google/Chrome).[2] Remote access tools with built-in features may interact directly using APIs to gather information. Information may also be acquired through system management tools such as Windows Management Instrumentation and PowerShell. | |||
Monitor for unusual access to stored browser data, such as local files and databases (e.g., %APPDATA%/Google/Chrome).[2] Rather than viewing these events in isolation, this activity may highlight a chain of behavior that could lead to other activities, such as Collection and Exfiltration. | |||
Monitor for processes with arguments that may be associated with gathering browser information, such as local files and databases (e.g., %APPDATA%/Google/Chrome).[2] |
T1005-Data from Local System
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases. On ESXi servers, this may include .vmdk and .vmsn files in the /vmfs/volumes directory. | |||
Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. | |||
Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |