As promised I will provide a bit walkthrough with regards to the covid themed website collected by malware patrol. What we gonna do is to automate and get the domain reputation via VT. And the way to do this is to make use of my VT automation program I created that has become a certain feature of my project way back.
We are going to this walkthrough in 4 phases:
1. Fetch those parsed domain and analyzed via VT.
2. Check site accessibility
3. Get URL Snapshot
4. Get URL redirection from the website
Phase 1
It's simple, we parse all the domain from the site and fetch these to VT for feedback.
It would take a lot of time for their's a lot of it. So what I did is created a counter for us to determine the total number of domain malware patrol has collated.
The result is huge, wow... so we are to crawl 100961 urls!
Went to assess all those sites and it does took me awhile, here are some snapshot.
Phase 2
For phase 2 I'll run on the entire spyder app. As you may know the program's goal is to execute an entire threat hunt automation. Link on the description for the entire Spyder's information.
So right now we're inside spyder, and we will check the scam site's availability.
Ill go type in help so you have the idea of the commands I'll execute.
input istdwn -i which means it will read through all the domains we have parsed and get the evaluation from their. Let's run these command and check how many are still active.
And we're back! Due to a large number of the domain, we'll double check on the access and check if the program real works. I'll go try some samples, and lets see.
Coronaclear.com site is redirected to a domain that right now we don't know yet. But this may go online some time. Hackers normally use this tactic to avoid their site to be identified by autority.
Phase 3
For phase3, we'll take a screenshot of these potential scam site and see what it looks like. On this we'll just gather 5 samples just to identify some factors that makes the domain suspicious.
coronacrate.com
>Forms - inputs personal information such as
> Got some ads and social link button,
> And they're doing home loans? relevant?
against-coronavirus.com
> Looks like they're selling some kn95 respirator of some sort. Just dont know what will happen if clicked on buy now.
> Some product specifications and their marketing sales
> They guarantee to ship via dhl
> So they really focus on selling mask
<scroll down image>
"I dont know do you think this is legit, comment on below.."
anticorona.club
> Some vietnamese character,some baby product
> They're endorsing some ointment for babies I guess
> And there's a video, which I cant play right now
> I dont if they're advertising an 'anti' corona ointment
> some buttons again, and there you go a phone number and an email, just beware of these you dont know where this can lead you.
Phase 4
In this phase we go get links that might lead to some redirected site. We'll assess that site and see
coronacrate.com
nc - redirection to https://matthewv.ahmcloans.com/loan/graphic-prequal - 404
against-coronavirus.com
-all links are part of the domain
but we have one url here - https://medik.wpengine.com/shop/, we check that one
*snip - we get just a loading blue screen
*nc medik.wpengine.com- found a lot of directories
Let's wrap it all up, hope you all become aware by potential scams. Be careful, stay healthy, stay limitless!
For the video version you can watch it here:
Comments