• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
    • Get the 2022 Cloud Scurity Comparison Guide
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
      • Cyber Threat Categories and Definitions
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Research

Diamonds in the Rough

By Patrick Colford
Posted on July 10, 2018
Updated on March 22, 2020

Share

FacebookTweetLinkedIn

When threat hunting, it’s important to be thorough and not take things at first glance. With many free automated malware analysis and sandbox environments available, the barrier for threat analysis has been lowered. Though these products are excellent tools in the effort to combat malware, and while educating more users to take steps for their own security is always encouraged, the fact is that sometimes malicious artifacts can escape conviction. These type of products allow the upload of files and URLs and rely on a series of techniques and systems to evaluate the uploaded content. The techniques that these environments use vary, and may produce unexpected results while submitting things that are known to be malicious. One way to counteract this, is for users to work with the most discrete information available to them, the smallest thing they would like to evaluate, and go from there. This blog post will outline a scenario showing how isolating aspects of a malicious webpage for analysis led us down an exciting path of threat hunting.

Lowest Common Denominator

Our home-brewed NLP rank automates the detection and blocking of phishing domains very efficiently, based on the threshold we set during its training. However, some of the results wind up below our target score and Analysts get to do some manual analysis work. Usually this is due to a change in tactics, procedures, or code by the actors. One recent trend in crypto phishing is not just aiming at stealing users’ credentials but also infecting them with different Trojans.

One example is a now removed site, idex[.]store. Posing as a cryptocurrency exchange, this domain when analyzed on VirusTotal at the time, displayed as benign.

idex[.]store’s now removed page.

Though the end of the page’s code contains a Visual Basic script designed to be a dropper…

idex[.]store VB script

VirusTotal did not convict the URL:

VirusTotal fails to detect maliciousness.

However when the VB script is run in isolation, VirusTotal returns a much different result:

VB script analyzed in isolation.

When working with a sandbox environment that has more granularity or features such as Threatgrid, this isolating strategy can become very powerful. Here we can see that Threatgrid has more information to reveal about the script, and that other anti-virus services have labeled this as a dropper at least, or Ramnit at worst:

Threatgrid Analysis
Theatgrid Analysis of VB script

Now that we have more concrete evidence of maliciousness, we can begin to pivot as we normally would, finding further malicious domains. The IP addresses that idex[.]store last resolved to, and the one that it resolved to while it was still hosting the dropper are both leads to follow.

idex[.]store’s observed IP addresses

A second example found while pivoting from this IP address is a domain posing as electrum[.]org. This domain tries to trick users by providing download links to electrum wallets:

Malicious domain posing as electrum wallet download site

Binaries which are hosted at those links are trojanized and will steal and send user credentials to a malicious actor. They are recognized as malicious by both VirusTotal and Hybrid Analysis:

Analysis of the binary downloaded from electrumwallet[.]ml

Analysis of the binary downloaded from electrumwallet[.]ml

The Rabbit Hole

The first IP address, the one that idex[.]store originally used was 178.208[.]83.11. Only utilized for about a day, this IP address belongs to mchost[.]ru, a popular internet registrar and domain hosting service based in Russia. On this IP address are several other domains of various degrees of maliciousness, including several typo-squatting phishes of Bitfinex and Cryptojacking.



The new IP addresses, 109.70.26[.]37 and 194.85.61[.]76 seem to be shared by a host of malicious domains. In addition to a typo squat of Vodafone and several obvious Apple phishes, there is a record of droppers and trojans calling back to their IPs as well as a history of spam-filled advertising networks.

The cherry on this malicious cake includes Emotet hosts like this one.

Given the nature of threat hunting, there could always be dead ends and failures. It’s important to listen to your instincts and to try to dig past suspected false results and misleading dead ends. Isolate the thing that interests you and don’t give up! At Cisco Umbrella our Analysts continually perform threat hunting activities to go along side our machine learning algorithms to continue to provide protection for our customers against the latest threats.

Previous Post:

Previous Article

Next Post:

Next Article

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella