When threat hunting, it’s important to be thorough and not take things at first glance. With many free automated malware analysis and sandbox environments available, the barrier for threat analysis has been lowered. Though these products are excellent tools in the effort to combat malware, and while educating more users to take steps for their own security is always encouraged, the fact is that sometimes malicious artifacts can escape conviction. These type of products allow the upload of files and URLs and rely on a series of techniques and systems to evaluate the uploaded content. The techniques that these environments use vary, and may produce unexpected results while submitting things that are known to be malicious. One way to counteract this, is for users to work with the most discrete information available to them, the smallest thing they would like to evaluate, and go from there. This blog post will outline a scenario showing how isolating aspects of a malicious webpage for analysis led us down an exciting path of threat hunting.
Lowest Common Denominator
Our home-brewed NLP rank automates the detection and blocking of phishing domains very efficiently, based on the threshold we set during its training. However, some of the results wind up below our target score and Analysts get to do some manual analysis work. Usually this is due to a change in tactics, procedures, or code by the actors. One recent trend in crypto phishing is not just aiming at stealing users’ credentials but also infecting them with different Trojans.
One example is a now removed site, idex[.]store. Posing as a cryptocurrency exchange, this domain when analyzed on VirusTotal at the time, displayed as benign.
![idex[.]store phishing cryptocurrency domain](https://cdn.umbrella.marketops.umbrella.com/wp-content/uploads/2018/06/25163647/Screen-Shot-2018-06-18-at-12.50.46-PM.png)
Though the end of the page’s code contains a Visual Basic script designed to be a dropper…
![idex[.]store Visual Basic script](https://cdn.umbrella.marketops.umbrella.com/wp-content/uploads/2018/06/25163643/Screen-Shot-2018-06-18-at-12.51.29-PM.png)
VirusTotal did not convict the URL:
![VirusTotal failure to detect idex[.]store](https://cdn.umbrella.marketops.umbrella.com/wp-content/uploads/2018/06/25163642/Screen-Shot-2018-06-27-at-1.21.06-PM.png)
When working with a sandbox environment that has more granularity or features such as Threatgrid, this isolating strategy can become very powerful. Here we can see that Threatgrid has more information to reveal about the script, and that other anti-virus services have labeled this as a dropper at least, or Ramnit at worst:
Now that we have more concrete evidence of maliciousness, we can begin to pivot as we normally would, finding further malicious domains. The IP addresses that idex[.]store last resolved to, and the one that it resolved to while it was still hosting the dropper are both leads to follow.
![idex[.]store's observed IP addresses](https://cdn.umbrella.marketops.umbrella.com/wp-content/uploads/2018/06/25163636/Screen-Shot-2018-06-29-at-11.26.49-AM.png)
A second example found while pivoting from this IP address is a domain posing as electrum[.]org. This domain tries to trick users by providing download links to electrum wallets:
Binaries which are hosted at those links are trojanized and will steal and send user credentials to a malicious actor. They are recognized as malicious by both VirusTotal and Hybrid Analysis:
![VirusTotal analysis of the binary downloaded from electrumwallet[.]ml](https://cdn.umbrella.marketops.umbrella.com/wp-content/uploads/2018/06/25163631/Screen-Shot-2018-07-02-at-12.23.02-AM-1024x345.png)
![Analysis of the binary downloaded from electrumwallet[.]ml](https://cdn.umbrella.marketops.umbrella.com/wp-content/uploads/2018/06/25163629/Screen-Shot-2018-07-02-at-12.22.49-AM-1024x222.png)
The Rabbit Hole
The first IP address, the one that idex[.]store originally used was 178.208[.]83.11. Only utilized for about a day, this IP address belongs to mchost[.]ru, a popular internet registrar and domain hosting service based in Russia. On this IP address are several other domains of various degrees of maliciousness, including several typo-squatting phishes of Bitfinex and Cryptojacking.
The new IP addresses, 109.70.26[.]37 and 194.85.61[.]76 seem to be shared by a host of malicious domains. In addition to a typo squat of Vodafone and several obvious Apple phishes, there is a record of droppers and trojans calling back to their IPs as well as a history of spam-filled advertising networks.
The cherry on this malicious cake includes Emotet hosts like this one.
Given the nature of threat hunting, there could always be dead ends and failures. It’s important to listen to your instincts and to try to dig past suspected false results and misleading dead ends. Isolate the thing that interests you and don’t give up! At Cisco Umbrella our Analysts continually perform threat hunting activities to go along side our machine learning algorithms to continue to provide protection for our customers against the latest threats.
