Sunday 4 October 2015

New Feature- Monitoring Infrastructure with ThreatCrowd RSS feeds

Today I've added RSS feeds to ThreatCrowd. These provide a simple way for monitoring attacker infrastructure.

For example - say your organisation has a significant footprint in Russia. You may be interested in attacks referred by ESET as "Roaming Tiger".

You can now monitor infrastructure of attackers using RSS feeds, for example-


This provides you with a simple way of monitoring when an attacker

  • Registers a new domain
  • Points a new domain at a server
  • A new malware sample is uploaded to an online sandbox

The power here is that you can combine multiple RSS feeds into a single RSS feed per actor to get a clean feed of activity. For example this feed combines the three above-


Two caveats here are that:

  • Exp/20120158-A is used by multiple groups
  • As with any online research, consider the OPSEC implications. I wouldn't recommend using an online tool such as RSSmix for this





Sunday 5 July 2015

The Search Engine for Threats now supports Search

The tagline for ThreatCrowd is "The search engine for threats". Whilst it's great to see some people start to use this to describe the site, until now the search function has been sorely lacking.

Today I'm happy to release the first version of a real search function. Rather than just searching for artefacts such as domains or IP addresses, you can now search for more general terms such as organisation names.

An example
Below is a search for tibet - a theme commonly employed in targeted attacks.




There are a number of results here. The first, tibet.my03[.]com, is referenced as associated with a malware report, malware and is a dynamic domain (often employed by malware).
You may be wondering why this result came first.

Results are ranked by a number of factors, such an obvious PageRank/TrustRank style "number of hops from known bad" but also by a number of crafted rules. You can expect the see the ranking of results fluctuate as alternate ranking functions ate tested.

What next?
The implementation of a search function means ThreatCrowd has finally met the initial roadmap of core functions. Development now will be on incremental improvements to the interface to make research easier, and increasing the scope of data.

If you've got any thoughts on how to improve ThreatCrowd, or just general comments - I'd love to hear them.



Tuesday 19 May 2015

Example Threat: Naikon

Kaspersky recently released a detailed report on a group known for some time as "Naikon" ( https://securelist.com/analysis/publications/69953/the-naikon-apt/  ), and likely shares some correlations with the more recently described APT30 ( https://blog.kaspersky.com/naikon-apt-south-china-sea/ ).



You can browse some of the infrastructure within ThreatCrowd below:

https://www.threatcrowd.org/domain.php?domain=linda.googlenow.in
https://www.threatcrowd.org/domain.php?domain=admin0805.gnway.net
https://www.threatcrowd.org/domain.php?domain=free.googlenow.in
https://www.threatcrowd.org/domain.php?domain=frankhere.oicp.net
https://www.threatcrowd.org/domain.php?domain=frankhere.oicp.net
https://www.threatcrowd.org/domain.php?domain=telcom.dhtu.info
https://www.threatcrowd.org/domain.php?domain=laotel08.vicp.net
https://www.threatcrowd.org/domain.php?domain=greensky27.vicp.net
https://www.threatcrowd.org/domain.php?domain=googlemm.vicp.net
https://www.threatcrowd.org/domain.php?domain=googlemm.vicp.net
https://www.threatcrowd.org/domain.php?domain=peacesyou.imwork.net
https://www.threatcrowd.org/domain.php?domain=sayakyaw.xicp.net
https://www.threatcrowd.org/domain.php?domain=ubaoyouxiang.gicp.net
https://www.threatcrowd.org/domain.php?domain=htkg009.gicp.net
https://www.threatcrowd.org/domain.php?domain=kyawthumyin.xicp.net
https://www.threatcrowd.org/domain.php?domain=myanmartech.vicp.net
https://www.threatcrowd.org/domain.php?domain=test-user123.vicp.cc
https://www.threatcrowd.org/domain.php?domain=us.googlereader.pw
https://www.threatcrowd.org/domain.php?domain=net.googlereader.pw
https://www.threatcrowd.org/domain.php?domain=lovethai.vicp.net
https://www.threatcrowd.org/domain.php?domain=yahoo.goodns.in
https://www.threatcrowd.org/domain.php?domain=xl.findmy.pw
https://www.threatcrowd.org/domain.php?domain=xl.kevins.pw
https://www.threatcrowd.org/domain.php?domain=oraydns.googlesec.pw
https://www.threatcrowd.org/domain.php?domain=gov.yahoomail.pw
https://www.threatcrowd.org/domain.php?domain=pp.googledata.pw
https://www.threatcrowd.org/domain.php?domain=xl.findmy.pw
https://www.threatcrowd.org/domain.php?domain=mlfjcjssl.gicp.net
https://www.threatcrowd.org/domain.php?domain=o.wm.ggpw.pw
https://www.threatcrowd.org/domain.php?domain=oooppp.findmy.pw
https://www.threatcrowd.org/domain.php?domain=cipta.kevins.pw
https://www.threatcrowd.org/domain.php?domain=phi.yahoomail.pw
https://www.threatcrowd.org/domain.php?domain=xl.findmy.pw
https://www.threatcrowd.org/domain.php?domain=dd.googleoffice.in
https://www.threatcrowd.org/domain.php?domain=moziliafirefox.wicp.net
https://www.threatcrowd.org/domain.php?domain=bkav.imshop.in
https://www.threatcrowd.org/domain.php?domain=baomoi.coyo.eu
https://www.threatcrowd.org/domain.php?domain=macstore.vicp.cc
https://www.threatcrowd.org/domain.php?domain=downloadwindows.imwork.net
https://www.threatcrowd.org/domain.php?domain=vietkey.xicp.net
https://www.threatcrowd.org/domain.php?domain=baomoi.vicp.cc
https://www.threatcrowd.org/domain.php?domain=downloadwindow.imwork.net
https://www.threatcrowd.org/domain.php?domain=www.ttxvn.net
https://www.threatcrowd.org/domain.php?domain=vietlex.gnway.net
https://www.threatcrowd.org/domain.php?domain=www.ttxvn.net
https://www.threatcrowd.org/domain.php?domain=us.googlereader.pw
https://www.threatcrowd.org/domain.php?domain=yahoo.goodns.in
https://www.threatcrowd.org/domain.php?domain=lovethai.vicp.net
https://www.threatcrowd.org/domain.php?domain=vietlex.gnway.net

Example Threat: Cmstar

PaloAlto recently published an article (http://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/ ) detailing a downloader they name "Cmstar" used to download the well known Enfal malware.



Below are links to browse some of this infrastructure within ThreatCrowd:






Thursday 16 April 2015

Example Threat: Hellsing

Kaspersky recently released an article "The Chronicles of the Hellsing APT: the Empire Strikes Back" ( https://securelist.com/analysis/publications/69567/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/ ) detailing the activities of groups they refer to as Naikon and Hellsing.




Below is a link to browse through some of the Hellsing artefacts on ThreatCrowd:




Wednesday 15 April 2015

Tuesday 14 April 2015

Investigating threats with ThreatCrowd - Tutorial

About
This post is a brief tutorial showing how to use ThreatCrowd to quickly find and pivot on threats, and how it can fit in with other tools.


Lets look at some Spearphishes
This table lists some of the malware listed in ThreatCrowd with a .doc or .pdf extension.



These serve as a good place to start looking for interesting themes.

Lets take a look at the potentially interesting sounding file "Secret nuclear reactor deal for Pakistan.doc" at https://www.threatcrowd.org/malware.php?md5=dabca84ea12d60418a652300727f1f00




This refers us to the malwr.com sandbox report https://malwr.com/analysis/MDA3OWVmODg0YzUyNDczZThjOGYzYjhlMWMzMDI0ODc/ . This is worth viewing for the detail - ThreatCrowd is designed to quickly find related entities like a search engine, and lacks the actual detailed information that is found on sites like malwr.com.



Here I've right clicked on the domain "alerymymail[.]com" to pivot. I could also zoom in by scrolling with the mouse.

The page for the domain looks like this:



At this point we could pivot through on domains, ip addresses, malware detections and whois data.

Further Tools
Sites such as Passive Total (https://www.passivetotal.org) and VirusTotal (https://www.virustotal.com/en/documentation/private-api/) can be used to add identify further information.
Tools such as Maltego (https://www.paterva.com/web6/) can be used to build graphs of this activity - ThreatCrowd will only allow you to view it.




Saturday 28 March 2015

Tutorial & FAQ

A full tutorial is coming soon - please check back shortly

About
ThreatCrowd is a system for finding and researching artefacts relating to cyber threats.

Tutorial
You can view a short tutorial at http://threatcrowd.blogspot.co.uk/2015/04/investigating-threats-with-threatcrowd.html

Interface


Right click items on the graph to pivot.
Zoom zoom in-and-out with the mouse wheel

Maltego
Please click here for a brief video tutorial on using the ThreatCrowd Maltego transforms

Operational Security
As with any other tool, please do not post any confidential information to ThreatCrowd and consider if your actions may be noticed by threats.

Data
Without the data ThreatCrowd would be an empty shell. Data is crawled from a number of sites, and a particular thanks goes to the VirusTotal Public API , Malwr.com , and a host of other sites that information is crawled from.

If you would like any data removed, please email threatcrowd@gmail.com / ban the ThreatCrowd user agent (recently updated) / update robots.txt.

Contact
If you have any suggestions or queries, please contact me at either @chrisdoman or threatcrowd@gmail.com