On June 27, JumpCloud discovered an APT attack. The company’s IR shared some IOCs to allow the customers or others third parties to protect their infrastructure.

As a Security Analyst, you should pay attention to the IOCS provided  https://jumpcloud.com/support/july-2023-iocs .

The purpose of this article is to help the Analyst to detect and investigate different IOCs such as domains and IP addresses before or after an attack occurred.

Having a look at the domains from the list of IOCs, the first impression that would come in your mind is to check if the domains are FP or not.

Example of some Domains from the IOCs:

nomadpkgs[.]com

centos-repos[.]org

datadog-cloud[.]com

toyourownbeat[.]com

datadog-graph[.]com

centos-pkg[.]org

primerosauxiliosperu[.]com

zscaler-api[.]org

nomadpkg[.]com

 

As you see, some of the domains name are quite similar to the names of well-known service providers , companies for example we can observe some domains names with the name of some service providers such as  Zscaler, Centos . As an Analyst, you should always be able to check such suspicious IOCs before making any conclusion.

Let’s take the example of a few domains:

zscaler-api[.]org 

https://www.virustotal.com/gui/domain/zscaler-api.org/details

Whois Lookup

Administrative city: REDACTED FOR PRIVACY

Administrative country: REDACTED FOR PRIVACY

Administrative state: REDACTED FOR PRIVACY

Create date: 2023-06-23 00:00:00

Domain name: zscaler-api.org

Domain registrar id: 1068

Domain registrar url: http://www.namecheap.com

Expiry date: 2024-06-23 00:00:00

Name server 1: dns1.registrar-servers.com

Name server 2: dns2.registrar-servers.com

As you see, the result from Virustotal shows that the domain is a newly created, this is the first hint for us. As we know, most of domains used by threat actors are newly created. As Zscaler is a well-known brand,  we can check the main domain of Zscaler to make a comparison between the both domains.

zscaler.com (Zscaler legitimate domain)

https://www.virustotal.com/gui/domain/zscaler.com/details

After checking the main domain of Zscaler (zscaler.com), we can observe that the zscaler.com is located at (Subject: C=US 2.5.4.15=Private Organization 2.5.4.5=4431830 L=San Jose O=Zscaler, Inc. ST=California 1.3.6.1.4.1.311.60.2.1.2=Delaware 1.3.6.1.4.1.311.60.2.1.3=US CN=www.zscaler.com )

Whois Lookup gave the following details:

Admin Country: US

Admin Organization: Zscaler, Inc.

Admin State/Province: CA

Creation Date: 2008-07-14T22:12:34+0000

Creation Date: 2008-07-14T22:12:34Z

DNSSEC: unsigned

Domain Name: ZSCALER.COM

Domain Name: zscaler.com

With this information, we can assume that the domain zscaler-api[.]org is not from Zscaler.

NB: It is always a good practice to check the browser search such as Google or Bring search to get some information about the domains.

The second example are the two domains nomadpkg[.]com and nomadpkgs[.]com

In this example, we will type the domain nomadpkg[.]com on Google search if we can find any related information, by doing that, we found a similar domain nomadpackaging.com a packaging website.

https://whois.domaintools.com/nomadpackaging.com

Dates     6,355 days old

Created on 2006-02-22

Expires on 2024-02-22

Updated on 2023-02-08

After checking the two domains, we found out that they are newly created

https://whois.domaintools.com/nomadpkg.com, https://whois.domaintools.com/nomadpkgs.com  and no specifics information were found about them over the internet.

At this point, based on the naming convention, we may assume that the domains are probably mimicking the nomadpackaging.com. But for us, it is a hint for us to block such domain.

You can use the same technics we showed to analyze others domain such as centos-pkg[.]org and centos-repos[.]org or domains mentioned in the list.

NB: One thing to mention, during our investigation, we found a link https://www.usom.gov.tr/url-list.txtAlt  where most of the domains available in https://jumpcloud.com/support/july-2023-iocs were reported as malicious one. You can use this link to upload the domain in your SIEM tool in order to monitor any interaction with any of them.

Now, lets analyzed some IP addresses detected during the investigation:

https://jumpcloud.com/support/july-2023-iocs

66.187.75.186

104.223.86.8

100.21.104.112

23.95.182.5

78.141.223.50

116.202.251.38

89.44.9.202

192.185.5.189

Most of the IP addresses mentioned above, look normal, seeing such traffic in your network, it is very difficult to guess that, it could be used by a threat actor. But you can use some technics to find more information about a specific IP address.

Let’s start:

In this case, a tool like https://www.abuseipdb.com did not help that much as the IP addresses look normal and most of them were not reported of any abuse, then we check the tool like https://securitytrails.com/ to list the domain behind the IP address.

By checking the domains on the IP address, we found the domain toyourownbeat[.]com (one of the domains mentioned above) address hosted on the IP address

https://securitytrails.com/list/ip/192.185.5.189

We found on the subdomains of toyourownbeat[.]com:

webmail.toyourownbeat[.]com                 

mail.toyourownbeat[.]com

Which could be a sign of phishing message sends to different users that interact with the website.

https://securitytrails.com/list/apex_domain/toyourownbeat.com .

I know this is a time consuming, but it is better to consume a time to analyze one indicator than to be hacked because of not analyzing it. Always stay focus and be patient.

The static malware analysis is analyzing malicious a file without executing it.

A Static analysis can help you  to detect or find indicator that can prove that the file is malicious.

Once you perform a static analysis, the following details can be revealed:

• Hashes of the file
• Identified if the file is packed
• Imports and exports
• Libraries used
• Strings embedded in the file
• Digital certificates
• Detecting the files format type
• Finding details such as (domain, IP address and others)

 NB: For security reason, we are not providing you the malicious file.

Imagine that you received a suspicious file to analyze at work, your job will be to set up your Sandbox t to perform your investigation.

We already have set up our sandbox, we have installed two machines (Windows guest and Remnux).

Remnux is a prebuild Linux machine for malware analysis, you can download the OS: Get the Virtual Appliance - REMnux Documentation

Windows guest was downloaded from Download a Windows virtual machine - Windows app development | Microsoft Developer. There is a new version of Windows to download Windows 11.

VirtualBox can be downloaded from Downloads – Oracle VM VirtualBox

After installing the machines and the VM, you can install Flare VM (a set of tools for malware analysis for Windows) from GitHub - mandiant/flare-vm.

Flare VM does not come with all the applications for the analysis, so you must install some tools such as PEid, BinText, PeStudio, Dependency walker and others based on your needs.

When we finished to install all the applications, the environment looks like this:

The both guests’ machines are running in “Host Only Network” which means that they don’t have any internet connection.

NB: One important thing, take the snapshot of the machine before you start the investigation so you can go back to a secure state after the investigation.

Let’s start the investigation.

 1. Strings command

In Remnux host. The String command helps you to find the strings embedded in the file.

First, type the help option to find more details about the command.

Run the command with the file:

2. Pestr

In Remnux host, go and open the terminal. Type the command with the file name below.

You can put the output in a file to have a better view of the output

The output

At this point, we can observe some indicators such as imports, libraries call and dll extension files, persistency method used in the registry, domain name and others. This is a good point as most of the malware usually used those attributes.

3. PEiD

In Windows host. The tool is used to detect common packers, crypto and compilers for PE files.

Take the file that you analyzing and drag in the tool, in our case the file is not packed, we can see that the file is written in C++.

4. PEStudio

In Windows host. The tool is very useful for the static analysis, it can detect the following information:

• File signature
• Imports
• Export
• URL and IP addresses
• Show Virus total score
• Virus total scoring
• Strings embedded in the files

Run the tool, drag the application in the tool and go through each option from the left side and analyze the output on the right side.

Virus Total scoring

Imports

Strings

5. BINTEXT

 In Windows host. Run the tool and it will display the strings embedded in the file.

6. Peframe

The tool is used to analyze a portable executable files, it can detect if the file is parked, anti-debug digital signature, xor, mutex, anti-virtual machine, suspicious sections and functions, macro and others.

In Remnux host. Type the command following file the file name you are analyzing.

We got some details about the files visible in the screen such as the (hash of the file, PE32 which means that the file is Windows executable file, the file size and others).

NB: You can list all the tools used in Remnux for malware analysis by type the command in the capture below.

7. Dependency Walker

In Windows host.

After dragging the file in the tool, you can see the DLL files with the handles (imports and exports) related to each.

You can type the name of the DLL file on the internet to know what it does.

Now your static analysis finished, you can collect the information and provide a report.

Static analysis of malware is very important, it helps analyze the malware without running it and collect basics information about the malware. The information collected can help us detect if the file is a malware.

On the 29.06.2023, my website osintafrica – intelligency blog was hacked.

The threat actor created two accounts with the Author privilege and posted two posts on the website.

In the next lines, i will describe how I managed and fixed the issue.

When i connected to my website, i found a strange post. It was very surprising for me, because  i was not the author of the posts, so i decided to analysis the issue.

                                          Figure 1 Post published by the threat actor

As you see on the image above the user “miqzmcif” was the Author of the post.

I connected to my WordPress backend, i checked the user menu to find all the users account created on the website, i found out two new users accounts created (miqzmcif@ds.sdf and 0erwybgp2j9n9btwm8foxn@gmail.com)  following with my user admin .

Figure 2 Two new users created by the threat actor

With the email addresses of the two users created, i checked the name and email addresses created  via Google search, unfortunately no information was found.

Next steps, i did, was to verify if there is any plugin with a vulnerability that can be exploited  to get the access to my website and create a user account or publish a post. I checked all the plugins one by one via Google search to find any issue related to them, while checking the plugins, I found the only plugin with a vulnerability among all the plugins (WP Post Author version 3.2.3) that has a critical vulnerability discovered a few days ago WP Post Author <= 3.2.3 - Privilege Escalation (wordfence.com)

The WP Post Author plugin is used to create and edit the author on WordPress website, at this point, it was quite obvious for me that the plugin was the issue.

Before I deactivated and removed the plugin with the two users created, a WPScan was run on the website to check if there is any vulnerability. At the time it was the scan was run, no issue was detected that could be used by a threat actor to perpetrate the attack.

After that, i decided to harden my website, I enable the auto update option on all the plugins, installed a web access Firewall and IDS to protect the website.

NB: It worth mentioning that, before I was hacked, I would not imagine that my blog could be hacked.

So as a great example, i encourage all of you to follow the best practice like we described in our situation to protect you WordPress website or any others website.

WINSCP is a free tool used to transfer file using different protocols such as SFTP client, FTP client, WebDAV client, S3 client and SCP for Windows.

The tool can be downloaded from the website: WinSCP :: Official Site Download

The tool is very easy to use and offer graphical user interface to transfer files between two Windows host (host machine and guest machine).

Basic configuration before transferring the data

1. Install Open SSH client and Server on both machines:
2. Activate the Open SSH client and server services on both machines
3. Activate the ping request connection on the both machines

Type in Windows explorer: Control Panel\System and Security\Windows Defender Firewall\Allowed apps

Choose the option “File and Printer Sharing” – choose the option “private” – and click “ok”

4. Configure the Guest machine on “Host only Adapter” to be on the same network as the Host machine

5. Check if there is a connection between the both machines

Open cmd command line – ipconfig on the Host machine on Guest machine

6. Go on the other machine, type - ping “IP address from the machine above”

NB: At this point, all the configurations are done, you can now transfer the data.

File transfer

• Open WINSCP on the Host machine (you can transfer the file from any machine)
• Choose the protocol you want to use (in our case we use SFTP)
• Choose the port number 22 or SSH port
• Type the hostname and the username of the host to which you want to transfer the data

Example: Open – cmd – type- whoami (the hostname will be visible from the left side and the username on the right side)

• Put the password you use to login within your system and you get connected to the host.
  • Now the file transfer is possible

  NB: You can copy the file and create a folder where you want to add the file and paste there.

  

• As you can see, the files transfer now is possible in a secure way using SFTP protocol.

Many threat actors used the technique I called a fakejobposting attack. In this attack, the threat actors post or send a fake job offer to many users in order to trick them to perform an action that could be used to compromised their system or account.

The attack usually happens over websites sites used by job seekers such as LinkedIn, Monster, indeed and many others.

Usually, the threat actors used the victims as an attack vector to compromise different organization.

This technique is used by many threat actors such as the North Korean group Lazarus, Golden Chicken and others.

If the attack succeeds, it could lead to further damage such as data leaked, reputation damage, financial lost. Therefore, such activity should be taken into account and a security measure such as security awareness and training to detect and prevent such attack.

The attack usually happens by sending a malicious link, file with the fake job offer or posting a fake job to attract the users. Once, the user interacts with it, the user system can be compromised or the user can lose his or her account. It is very crucial to know how we can differentiate the real job offer and a fake one.

In the upcoming lines, we will give some details about it.

• Detection and preventing of fakejobposting attack:

 When you receive a link or file, check the link sent to you via OSINT tools such as virus total VirusTotal - Home, Interactive Online Malware Analysis Sandbox - ANY.RUN

NB: You can take the file hash and check it via the tools mentioned above or others to detect if the file is a malware.

Example:  How to get the file hash: open PowerShell command – type - Get-fileHash “file name” – enter – get the hash of the file

2. Check if the domain is newly created domain or updated domain Whois Lookup, Domain Availability &amp; IP Search - DomainTools, often the threat actors use the new domain to target the users.
3. Check the details about the company online, example: Google search. Some threat actors mimic known companies, in this case, check others platform if the job offer is present or the company website for job listing.
4. When the link sent to you require the login, don’t never use the password you use to connect to your company portal or other platforms for personal used such as social medias.
5. When you receive the message from a social media such as LinkedIn, check the date of creation of the sender’s profile and the picture on the profile (they are many AI tools now used to generate a fake picture, always check the picture on the profile), some threat actors used a fake profile or newly created profile.

NB: The picture on the profile can be taken from another social media that belongs to someone else, it is a good practice to use Google image search or Microsoft Bling images or Yandex imagine to check the if the image is not taken from another platform.

6. When there is an application to install for the interview such as TeamViewer,3CX, Microsoft teams and others compare the hash to the hash available from the provider or take the hash of the software and check it via online tools like we explained in the section 1.

If you are still not sure then it would be better to set up a Virtual machine to interact with the link or file to avoid any issues.

You can use any Virtual machine of your choice, make sure that after interacting with the link or file or software that you used to the snapshot mode to back to the safe state.

The phishing and scam attacks are types of social engineering attack where the threat actor tries to manipulate the user to behave in such a way that he can achieve one or more of the following objectives (compromise the host, stealing data such as PII, PHI, Financial data, confidential data etc.)

There are many types of social engineering attacks:

Phishing

Spam over Internet messaging

Spear phishing

Dumpster diving

Shoulder surfing

Smishing

Vishing

Spam

Tailgating

Whaling

Prepending

Identity theft

Invoice scams

Hoax

Typosquatting

The attack is the most and easiest technique used nowadays by the threat actors to target the victims.

If you have been browsing over the internet or you have been using an email address to send and receive messages, then you probably at least one time face with this type of attacks.

The attack can be very impactful, many organizations or individuals who are victim of this type of attacks can lose quantitatively (money) and qualitatively (reputation), so it is crucial to know how to be protected from the attack and also how to report it.

Example of quantitative loss:

• Receiving a fraudulent message saying that you won in a lottery, you need to send some money to get back your jackpot. This technic is often used by the scammers to tricks the user to pay money.
• Fake financial investment website where people invest money with no ROI (example read the article Goldman website scamming people in Guinea-Conakry and around the world. – osintafrica)

Example of qualitative loss:

• Sextortion abuse. Example: Using a social engineering attack to gain access to someone mobile phone or notebook in order to blackmail the person.

Considering that the attack is the most efficient way to target the victim, most of users who are impacted by this attack do not report it, which causes more victims.

By reporting the attack, we can protect yourself and other. They are many ways to report the attack, below we will describe and share with you the details about each.

• How to report scam using Gmail

When you receive a suspicious message, you can report from your Gmail account by doing:

• Click on the email you received
• Click on the ellipsis sign (the tree dot in the right corner)
• Select report Spam or the second ellipsis – select block user

By doing that, the IT department from Google will review and block the message if it is used for social engineering attack.

• How to report scam using Outlook

- Click on the email you received

-Click on the ellipsis sign (the tree dot in the right corner)

- Select report Junk report or block user or phishing, the email will be removed from your inbox and send to the IT department of Microsoft for further analyses.

NB: The same option is available on other email service such as Yahoo, Hotmail and others.

Reporting phishing abuse over social media

• Facebook

 You can always report strange emails to phish@fb.com.

• Instagram

           You can always report strange emails to phish@instagram.com.

• LinkedIn

If you receive a phishing message on LinkedIn, you can report it, by clicking on the message you received, on the right corner click on More …icon and selecting one of the below options:

- It's spam or a scam

-It's a scam, phishing, or malware

• Twitter

If you want to report a post with a link used for phishing attack, on the right corner click on More …icon and selecting report Tweet, click on next – start report – choose the option for example” myself” – next – Spammed.

You can also report social engineering abuse by reporting the domain or URL to a third-party service provider.

Examples:

• PhishTank List of potential phishing sites: PhishTank

When you receive a phishing email, you can report via the website. You can use the website also to check if the domain you received is a phishing domain.

• Report a Phishing Page (google.com)

The following page is used by Google to report phishing abuse.

• APWG | REPORT PHISHING (antiphishing.org)

The website belongs to APWG which is an anti-phishing working group, you can report the phishing email to reportphishing@apwg.org  for further analysis.

• Report a phishing page - ESET

The website belongs to ESET group to report phishing abuse.

• Where to report scams | USAGov

 The website belongs to the USA government for reporting different types of phishing abuse.

• Internet Crime Complaint Center(IC3) | File a Complaint

The website is used to report internet crime such as phishing, ransomware, corporate data breaches and others.

• gov: econsumer - Report international scams online!

The website is used to report different types of scams or fraud such as Jobs and Making Money, Travel and Vacations, Lottery, Sweepstakes, or Prize Scams, Online Shopping/Internet Services/Computer Equipment and others.

• Phishing Initiative (phishing-initiative.eu)

Phishing Initiative helps fight against phishing attacks.

When you report the address of a suspected phishing website, the emails will be analyzed it and blocked if the address is malicious one.

• Phishing takedowns, faster - phish.report

By reporting the URL or domain, they will analyze  and it takedown if it is malicious.

In conclusion, the social engineering attack is easy to perform but the impact can be very devastating. Reporting the attack will save many people. So, it is crucial to report the attack as soon as possible to lessen the impact and stop it.

A typosquatting attack is a type of attack where the threat actor mimics a legitimate domain to target the victims. In this type of attack, the threat actor looks for the target domain that he and she want to target and alter the domain. The attack is one of the most successful attacks technics used by the threat actors. The attack is very difficult to detect as most of the users will consider it as a legitimate domain. However, the attack can be detected by implementing some countermeasures.

One of the most used tool to generate a typosquattitng domain is dnstwister | The anti-phishing domain name search engine and DNS monitoring service, the tool can help you  generate domains or find the domains that can be used to mimic your domain.

Types of typosquatting:

Combosquatting

The attacker adds a word to the legitimate domain to trick the users to click on it. Example:

The legitimate domain facebook.com will be altered to helps-facebook.com.

Bitsquatting

The attacker changes one or more bits of the legitimate domain to trick the user. Example:

Facebook.com will become fasebook.com

Soundsquatting

The attacker uses the technic calls “Homophones” to trick the user. Example”

Fare.com will become faire.com

Levelsquatting

The attacker uses the legitimate domain, follow by the phishing domain. Example:

Facebook.com will become facebook.com.ghdhwhj.com

Homographing

The attacker uses the technic calls homoglyph by changing one character from the legitimate domain. For example:

Faceboo.com will become fäcebook.com (the “a” changed to ä)

You can use the homoglyph generator to alter any domain you wish (Homoglyph Attack Generator and Punycode Converter (irongeek.com))

Typosquatting detection and protection:

• Security awareness and training
• User tool like dnstwister | The anti-phishing domain name search engine and DNS monitoring service or  Recorded Future: Securing Our World With Intelligence  to find the domain mimicking your brand
• Block all domains mimicking your brands
• Performing DNS lookup to verify the domain owner

In conclusion, the typosquatting is a type of attack that alter the legitimate domain to target the users. The attack is very difficult to detect but by combining different methods and technics, the users can be protected.

 

URLSCAN is used to perform different types of web scans and to analyze different IOCs such as IP address, domains, Hashes, filenames, and others.

URLSCAN is a tool used by different security teams such as Security Analyst, Cyber Threat Intelligence, Threat Hunting, Incident response team, and others.

Below, you can download the pdf document that will show you how to use the tool.

How to use URLSCAN

You can also find the articles related to the topic

How to use URLSCAN part1 – osintafrica