Hello, welcome to the Thursday, May 16th, 2019 edition of the Santernet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Magecard is in the news again.

The name Magecard refers to a group or groups that inject keystroke

loggers into checkout pages using JavaScript. The script is usually added either as part

of a legitimate set of JavaScripts that the website includes or named to fit in with the naming

scheme of other JavaScript libraries.

In this case, the domain name used to exfiltrate the stolen data was selected to mimic

the popular Fund Awesome library.

The X-Fill domain has been taken down by now, but as I am recording this, the link to it and some of the malicious code that is found on the Forbes website apparently is still there.

For a long time now, attackers have taken advantage of command control channels over TLS to encrypt their communications.

Now, as a countermeasure monitoring systems try to fingerprint TLS connections to detect anomalies in TLS options and ciphers.

Indicators of compromise distributed to detect malware command control channels then often include

these TLS fingerprints that are unique for a particular piece of malware.

Akamai is now reporting that some malware is actively tampering with TLS parameters to randomize

ciphers in order to evade this type of detection.

Now Akamai calls this technique cipher stunting.

Personally, I'm not sure how effective this technique is if it's used against the

network that actually watches for anomalous TLS fingerprints. The randomized ciphers, I would

think they're actually easier to spot than if Malware is really just trying to impersonate a popular web browser

or other software that is typically whitelisted or known as normal.

And it's typically not all that hard to do.

...