Advanced Footprinting with Maltego (Part V)

To conclude this series of posts on Maltego, let´s see how we can use it to investigate several possible threats and their underlying infrastructure.

Using Maltego to investigate Indicators of Compromise (IoC)

One of the latest trends in the cybercrime arena is the use of DNSpionage. Imagine you fell victim to such an attack last year. Upon analysis, you have identified two strange domains:

  • hr-wipro.com
  • 0ffice36o.com

Investigating suspicious domains with Maltego

Let’s investigate the first one to see what’s going on:

Using PassiveTotal’s (PT) “Get Passive DNS” and VirusTotal’s (VT) “Domain Resolutions” transforms, Maltego identifies five IP addresses associated with the domain, two of them returned by both transforms.

IP address resolution

Next, the “Detected URLs” transform (from VT) returns eight URLs either because they were detected by a vendor’s URL scanner or because they are listed in some InfoSec community blocklist.

URLs hosted in the hr-wipro.com domain

Selecting each of these URLs will give access to a report where you can see why the URL is listed.

Maltego listing a report on a suspicious URL

And this is the report:

Virus Total report for the selected URL

Now you can check for the existence of subdomains (VT), their IP addresses and URLs.

Subdomains and IP address

Are there any malware samples associated with this domain? Was the domain tagged?

If we run the PT Get Malware and the Get Tags transforms, we will get some answers; 3 malware SHA-256 hashes, a DNSpionage tag and a Maltego phrase: Emerging Threats: Proofpoint.

If we run HybridAnalysis on the domain we will get an additional hash.

Malware samples and tags for the domain

How are the domains classified? Are any reports available for the URLs?

The PT Get Classification transform will tell us the URLs are suspicious and the VT Check URL Report will give access to any available vendor reports.

Domain classification and URL reports

At any time, you can also run the ThreatMiner transforms that will give you pretty much the same info with some extra details.

Link to ThreatMiner report

In the report you can see the legitimate domain the malware was trying to mimic.

ThreatMiner report

Following a similar approach for 0ffice36o.com, I got these results after investigating a bit further on one of the hashes using ThreatMiner transforms:

  • Malware to Filename
  • Malware to Other Hashes
  • Malware to Hosts

image

Investigating malware samples with Maltego

A few months ago, a new wave of attacks plagued the Internet with an updated version of trojan previously named BondUpdater.

It was a spearfishing campaign spreading a malicious Word document containing a macro that would attempt to install the trojan.

Using Maltego to research the SHA256 hash of the file, this is what I got:

  • ThreatMiner provide links to full reports on the malware, links to related hashes, to several vendors who have detected the malware and reports on the malware variants.
  • VirusTotal corroborated this information and added their own links to other reports.

Researching the BondUpdater hash

Quite recently, the same threat actor was involved in a similar attack. Using only VirusTotal I created this simple graph just to show something else; sometimes different vendors give completely different names to the same malware. It would be very confusing if we had just a partial view of the big picture. But Maltego compiles everything for us so we know that in the end all these names refer exactly to the same thing:

Researching Turla malware


Exporting Maltego results

Remember what we did in recon-ng to gather network infrastructure information? Well, we can do something similar in Maltego:

Subdomain researching in Maltego CE

But how are we going to use this information?

We will have to export it to a useable format, like CSV.

In order to do that, all we have to do is go to the Import | Export tab and select Export Graph as Table

Exporting Maltego information

Now all we have to do is select the desired format.

Exporting Maltego information


Final conclusions:

  • Maltego is a wonderful tool, but the CE edition is very limited.
  • Get as many APIs as you can, otherwise the results will be very poor.
  • Pay attention to the limitations enforced on the free APIs
  • Keep in mind that you will get a lot more results using other tools, like Recon-ng


Next post: Advanced Reconnaissance with theHarvester

2 comments:

Shayzee said...

Hello Everyone !

USA SSN Leads/Fullz available, along with Driving License/ID Number with good connectivity.

All SSN's are Tested & Verified.

**DETAILS IN LEADS/FULLZ**

->FULL NAME
->SSN
->DATE OF BIRTH
->DRIVING LICENSE NUMBER
->ADDRESS WITH ZIP
->PHONE NUMBER, EMAIL
->EMPLOYEE DETAILS

*Price for SSN lead $2
*You can ask for sample before any deal
*If you buy in bulk, will give you discount
*Sampling is just for serious buyers

->Hope for the long term business
->You can buy for your specific states too

**Contact 24/7**

Whatsapp > +923172721122

Email > leads.sellers1212@gmail.com

Telegram > @leadsupplier

ICQ > 752822040

Anonymous said...

TESTIMONY ON HOW I GOT MY LOAN AMOUNT FROM A RELIABLE AND TRUSTED LOAN COMPANY LAST WEEK. Email for immediate response drbenjaminfinance@gmail.com

Hello everyone, My name is Mrs. Carolin Glowski, I'm from Europe, am here to testify of how i got my loan from BENJAMIN LOAN FINANCE after i applied Two times from various loan lenders who claimed to be lenders right here this forum, i thought their lending where real and i applied but they never gave me loan until a friend of mine introduce me to {Dr. Benjamin Scarlet Owen} the C.E.O of BENJAMIN LOAN FINANCE who promised to help me with a loan of my desire and he really did as he promised without any form of delay, I never thought there are still reliable loan lenders until i met {Dr. Benjamin Scarlet Owen} who really helped me with my loan and changed my life for the better. I don't know if you are in need of an urgent loan also, So feel free to contact Dr. Benjamin Scarlet Owen on his email address drbenjaminfinance@gmail.com


THANKS