John Hammond YouTube channel is full of neat stuff, from CTF solutions to real malware analysis. Recently, he did an analysis of an email with an HTML attachment which presented as a fake Microsoft login page. When a victim enters creds, the page would send them to www.hurleyauctions[.]us, and redirect the user to an actual Microsoft Outlook site. John looked at bit at the registration information on the domain, but I wanted to dive a bit deeper, specifically using RiskIQ and Maltego.
For Background, here’s John’s video:
Going beyond what John looked into, I’ll introduce two tools.
When I worked in a threat-intel shop, RiskIQ was one of my favorite data sources / tools to use. They pull together all kinds of information, but the two parts I found most useful were the domain registration information and the passive DNS data. Passive DNS is data collected from across the internet showing DNS requests and responses. It can serve as a good history for what kinds of activity occurred on a domain / IP.
The free account is significantly limited vs what I used to have with an enterprise license, but it still does some good stuff.
Maltego is a tool for producing graphs. The power comes in the transforms. They connect to different data source APIs and make connections for you. Let’s say you have ten related domain names. You can select them all, and then use the PassiveTotal (RiskIQ) Get Passive DNS with Time transform, and it will query RiskIQ, get all the DNS resolutions for each of the ten domains, as well as the first and last seen dates, and put those nodes onto the graphs with arrows from the domains to each IP they resolve to. It’s incredibly powerful for quickly pivoting using many different data sources.
It’s relatively inexpensive for a corporate tool (still not something I’m going to buy on my own), and there’s a free version that limits how many nodes can add to a graph and how many results can come back from a single transform.
On finding the domain www.hurleyauctions[.]us, Jonh looked at the WhoIs information and noted that it had a “real” information (as opposed to privacy shielded):
$ whois hurleyauctions.us Domain Name: hurleyauctions.us Registry Domain ID: D1E32ACF651C44F3C828FC9111A6EEDEF-NSR Registrar WHOIS Server: whois.namecheap.com Registrar URL: http://www.namecheap.com Updated Date: 2021-07-06T12:09:58Z Creation Date: 2021-07-01T12:09:53Z Registry Expiry Date: 2022-07-01T12:09:53Z Registrar: NameCheap, Inc. Registrar IANA ID: 1068 Registrar Abuse Contact Email: email@example.com Registrar Abuse Contact Phone: +1.6613102107 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Registry Registrant ID: C248C372558784C4D9CF845CE1D4F0422-NSR Registrant Name: Karen Abrams Registrant Organization: Registrant Street: 10755 Ve10755 Venice Blvd Registrant Street: Registrant Street: Registrant City: Los Angeles Registrant State/Province: NY Registrant Postal Code: 90034 Registrant Country: US Registrant Phone: +1.3109454167 Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: firstname.lastname@example.org Registrant Application Purpose: P1 Registrant Nexus Category: C11 Registry Admin ID: C336A6E3274E148B9825D5ADB91069FD0-NSR Admin Name: Karen Abrams Admin Organization: Admin Street: 10755 Ve10755 Venice Blvd Admin Street: Admin Street: Admin City: Los Angeles Admin State/Province: NY Admin Postal Code: 90034 Admin Country: US Admin Phone: +1.3109454167 Admin Phone Ext: Admin Fax: Admin Fax Ext: Admin Email: email@example.com Registry Tech ID: CD20F8910EB1F43CC8A4789C1C6D095F8-NSR Tech Name: Karen Abrams Tech Organization: Tech Street: 10755 Ve10755 Venice Blvd Tech Street: Tech Street: Tech City: Los Angeles Tech State/Province: NY Tech Postal Code: 90034 Tech Country: US Tech Phone: +1.3109454167 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email: firstname.lastname@example.org Name Server: dns1.registrar-servers.com Name Server: dns2.registrar-servers.com DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
The name Karen Abrams, and the email
email@example.com are interesting. There’s an address there, though with some typos in it. If I assume that’s 10755 Venice Blvd, Google Street View takes me here:
Looks like it belongs to RLD Inc, and also that, at the time of the picture, the building may have been for lease? Regardless, pretty high chance that address isn’t real. There’s a phone number as well, 310-945-4176, which is a California area code.
Dropping that domain into RiskIQ, it provides a bunch of tabs with information. The “Resolutions” tab show a history of the passive DNS data associated with the domain:
In the free version, there’s almost certainly a limit on how far it goes back. In previous jobs where I had a paid subscription, it went back for years.
That is the IP that John noticed in the video. Clicking on it gives three domains that have resolved to that IP:
Interestingly, more subdomains of hurleyauctions[.]us.
Going back to the page for www.hurleyauctions[.]us, the “WhoIs” tab has similar information to what I pulled above:
But here is where the fun starts, and where I can go beyond what John looked at in the video. Clicking on the email address, it brings up other domains registered by that address:
Three of them have been tagged as Phishing and Blocklist, which is interesting.
From here, I can start to build a list of suspected indicators associated with this threat actor, including domains, IPs, and emails.
At this point, it’s time to drop this domain into Maltego. I recorded this as a YouTube video:
At the end, I have this nice graph of activity and associated indicators:
That’s nine new domains, their IPs, and some associated malware samples.