<h1>Advanced Footprinting with Maltego (Part V)</h1>

To conclude this series of posts on Maltego, let´s see how we can use it to investigate several possible threats and their underlying infrastructure.

Using Maltego to investigate Indicators of Compromise (IoC)

One of the latest trends in the cybercrime arena is the use of DNSpionage. Imagine you fell victim to such an attack last year. Upon analysis, you have identified two strange domains:

• hr-wipro.com
• 0ffice36o.com

Investigating suspicious domains with Maltego

Let’s investigate the first one to see what’s going on:

Using PassiveTotal’s (PT) “Get Passive DNS” and VirusTotal’s (VT) “Domain Resolutions” transforms, Maltego identifies five IP addresses associated with the domain, two of them returned by both transforms.

Next, the “Detected URLs” transform (from VT) returns eight URLs either because they were detected by a vendor’s URL scanner or because they are listed in some InfoSec community blocklist.

Selecting each of these URLs will give access to a report where you can see why the URL is listed.

And this is the report:

Now you can check for the existence of subdomains (VT), their IP addresses and URLs.

Are there any malware samples associated with this domain? Was the domain tagged?

If we run the PT Get Malware and the Get Tags transforms, we will get some answers; 3 malware SHA-256 hashes, a DNSpionage tag and a Maltego phrase: Emerging Threats: Proofpoint.

If we run HybridAnalysis on the domain we will get an additional hash.

How are the domains classified? Are any reports available for the URLs?

The PT Get Classification transform will tell us the URLs are suspicious and the VT Check URL Report will give access to any available vendor reports.

At any time, you can also run the ThreatMiner transforms that will give you pretty much the same info with some extra details.

In the report you can see the legitimate domain the malware was trying to mimic.

Following a similar approach for 0ffice36o.com, I got these results after investigating a bit further on one of the hashes using ThreatMiner transforms:

• Malware to Filename
• Malware to Other Hashes
• Malware to Hosts

Investigating malware samples with Maltego

A few months ago, a new wave of attacks plagued the Internet with an updated version of trojan previously named BondUpdater.

It was a spearfishing campaign spreading a malicious Word document containing a macro that would attempt to install the trojan.

Using Maltego to research the SHA256 hash of the file, this is what I got:

• ThreatMiner provide links to full reports on the malware, links to related hashes, to several vendors who have detected the malware and reports on the malware variants.
• VirusTotal corroborated this information and added their own links to other reports.

Quite recently, the same threat actor was involved in a similar attack. Using only VirusTotal I created this simple graph just to show something else; sometimes different vendors give completely different names to the same malware. It would be very confusing if we had just a partial view of the big picture. But Maltego compiles everything for us so we know that in the end all these names refer exactly to the same thing:

Exporting Maltego results

Remember what we did in recon-ng to gather network infrastructure information? Well, we can do something similar in Maltego:

But how are we going to use this information?

We will have to export it to a useable format, like CSV.

In order to do that, all we have to do is go to the Import | Export tab and select Export Graph as Table

Now all we have to do is select the desired format.

Final conclusions:

• Maltego is a wonderful tool, but the CE edition is very limited.
• Get as many APIs as you can, otherwise the results will be very poor.
• Pay attention to the limitations enforced on the free APIs
• Keep in mind that you will get a lot more results using other tools, like Recon-ng

Next post: Advanced Reconnaissance with theHarvester