• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Free Trial
  • Contact us
  • Blog
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Products
    • Product
      • Cisco Umbrella Cloud Security Service
      • Cisco Umbrella Investigate
      • Product Packages
      • Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Interactive Intelligence
      • Cloud-Delivered Firewall
    •  
    • Webinar signup
  • Solutions
    • By Need
      • Protect Mobile Users
      • Fast Incident Response
      • Web Content Filtering
      • Shadow IT Discovery & App Blocking
      • Unified Threat Enforcement
      • Reduce Security Infections
      • Secure Direct Internet Access
      • Securing Remote and Roaming Users
    • By Network
      • Protect Guest Wi-Fi
      • SD-WAN Security
      • Off-Network Endpoint Security
    • By Industry
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
      • Our Customers
      • Customer Stories
    • Ransomware Defense for Dummies book
  • Why Us
    • Fast Reliable Cloud
      • Cloud Security Infrastructure
      • Cloud Network Status
      • Cloud Network Activity
      • Recursive DNS Services
      • Top Reasons to Trial
      • Getting Started
    • Unmatched Intelligence
      • Cyber Attack Prevention
      • Interactive Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco SD-WAN
    • Navigation-dropdown-promo-free-trial_102820
  • Resources
    • Content Library
      • Top Resources
      • Analyst Reports
      • Case Studies
      • Customer Videos
      • Datasheets
      • eBooks
      • Infographics
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Cisco Umbrella Blog
      • Latest Posts
      • Security Posts
      • Research Posts
      • Threats Posts
      • Product Posts
      • Spotlight
    • For Customers
      • Support
      • Customer Success Hub
      • Umbrella Deployment Hub
      • Customer Success Webinars
      • What’s New
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
      • Secure Access Service Edge (SASE)
    • Security Threats
      • Ransomware
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
    •  
    • 2020 Cybersecurity trends
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Become a partner
  • Free Trial Signup
  • Umbrella Login
  • Cloudlock Login
  • Contact Us
Research

Diamonds in the Rough

By Patrick Colford
Posted on July 10, 2018
Updated on March 22, 2020

Share

Facebook0Tweet0LinkedIn0

When threat hunting, it’s important to be thorough and not take things at first glance. With many free automated malware analysis and sandbox environments available, the barrier for threat analysis has been lowered. Though these products are excellent tools in the effort to combat malware, and while educating more users to take steps for their own security is always encouraged, the fact is that sometimes malicious artifacts can escape conviction. These type of products allow the upload of files and URLs and rely on a series of techniques and systems to evaluate the uploaded content. The techniques that these environments use vary, and may produce unexpected results while submitting things that are known to be malicious. One way to counteract this, is for users to work with the most discrete information available to them, the smallest thing they would like to evaluate, and go from there. This blog post will outline a scenario showing how isolating aspects of a malicious webpage for analysis led us down an exciting path of threat hunting.

Lowest Common Denominator

Our home-brewed NLP rank automates the detection and blocking of phishing domains very efficiently, based on the threshold we set during its training. However, some of the results wind up below our target score and Analysts get to do some manual analysis work. Usually this is due to a change in tactics, procedures, or code by the actors. One recent trend in crypto phishing is not just aiming at stealing users’ credentials but also infecting them with different Trojans.

One example is a now removed site, idex[.]store. Posing as a cryptocurrency exchange, this domain when analyzed on VirusTotal at the time, displayed as benign.

idex[.]store’s now removed page.

Though the end of the page’s code contains a Visual Basic script designed to be a dropper…

idex[.]store VB script

VirusTotal did not convict the URL:

VirusTotal fails to detect maliciousness.

However when the VB script is run in isolation, VirusTotal returns a much different result:

VB script analyzed in isolation.

When working with a sandbox environment that has more granularity or features such as Threatgrid, this isolating strategy can become very powerful. Here we can see that Threatgrid has more information to reveal about the script, and that other anti-virus services have labeled this as a dropper at least, or Ramnit at worst:

Threatgrid Analysis
Theatgrid Analysis of VB script

Now that we have more concrete evidence of maliciousness, we can begin to pivot as we normally would, finding further malicious domains. The IP addresses that idex[.]store last resolved to, and the one that it resolved to while it was still hosting the dropper are both leads to follow.

idex[.]store’s observed IP addresses

A second example found while pivoting from this IP address is a domain posing as electrum[.]org. This domain tries to trick users by providing download links to electrum wallets:

Malicious domain posing as electrum wallet download site

Binaries which are hosted at those links are trojanized and will steal and send user credentials to a malicious actor. They are recognized as malicious by both VirusTotal and Hybrid Analysis:

Analysis of the binary downloaded from electrumwallet[.]ml

Analysis of the binary downloaded from electrumwallet[.]ml

The Rabbit Hole

The first IP address, the one that idex[.]store originally used was 178.208[.]83.11. Only utilized for about a day, this IP address belongs to mchost[.]ru, a popular internet registrar and domain hosting service based in Russia. On this IP address are several other domains of various degrees of maliciousness, including several typo-squatting phishes of Bitfinex and Cryptojacking.



The new IP addresses, 109.70.26[.]37 and 194.85.61[.]76 seem to be shared by a host of malicious domains. In addition to a typo squat of Vodafone and several obvious Apple phishes, there is a record of droppers and trojans calling back to their IPs as well as a history of spam-filled advertising networks.

The cherry on this malicious cake includes Emotet hosts like this one.

Given the nature of threat hunting, there could always be dead ends and failures. It’s important to listen to your instincts and to try to dig past suspected false results and misleading dead ends. Isolate the thing that interests you and don’t give up! At Cisco Umbrella our Analysts continually perform threat hunting activities to go along side our machine learning algorithms to continue to provide protection for our customers against the latest threats.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Cisco Umbrella Blog
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Cisco Umbrella

Learn more

  • Events
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2021 Cisco Umbrella