TL;DR
I wrote a script, which takes domain, IP or email address as input and search it in various services like: Whois, Reverse whois, Historical whois,VirusTotal, Threatcrowd and others.Everything is logged into Elasticsearch and json files. Additionally, at the end it creates graph which illustrates all of the connections between resources.
https://github.com/woj-ciech/Danger-zone
Introduction
I showed how to collect malware samples, analyze them and get command and control servers, now itās time to going deeper.
There are many cases when you need to map infrastructure used in attack based only on one email address or single domain. Itās tedious work to check everything manually and then connect the dots. Visualizing helps you to get full picture of attackerās network and then you can go deeper to track as many leads as you can. Every information may be valuable in order to track identity of the threat actor, so if we are able to search for it in multiple sources there is better chance to get some more useful info. In addition, connecting all of this sources and making connections between gathered data allows to fully understand what you are dealing with.
āprinted sticky notes glued on boardā by Daria Nepriakhina onĀ Unsplash
Danger Zone
Kudos for ArcherĀ fans
During tracking malicious behavior in Internet, lots of tools are used and main goal of Danger Zone is to connect it into one, give you easy readable output, visualize it as a graph and store rest of data in Elasticsearch and JSON files.
I tried to use as many free of charge services as possible to do it in classic OSINT style and good news is that you need only two keys for using the tool. First of them is Whoxy, which gives you free credits after registration and second is very known VirusTotal (free version allows only 4 requests per minute). Rest of the services are totally free like Trumail for email validation, Extreme IP for IP geolocation or Username Check for checking presence of username in social media sites.
Script goes only 2ā3 levels down and shows 3 newest results, just to give you insight, for example what is actually hosted on that IP but all results are saved for further review. It can be used for small-scale investigation or just as a part of bigger ones. Personally, I used it in three investigations, which I will show you next.
Pedophile network
Idea for this kind of tool, starts when I came across this disgusting paste:
Someone was sharing CP and left his email for āsupportā. I wonder how much useful information can be gathered to track his identity.
Network started from ā.netāĀ emaill
I started from ā.netā email address which is located at the center of the graph. With help of reverse Whois module, it found associated ā.topā,ā.comā and ā.bizā domains. They are blurred because of obvious reasons. Then these domains are checked for emails and IPs to give you insight to what IP domain was resolved and what is hosted there right now. Additional information are displayed to console. Last edges show you newest domains hosted on that IP and donāt have to be connected to your target.
Snippet of consoleĀ output
The email and username are very unique so I can connect Twitter account to email with medium confidence. We see that this user posted links to google URL shortener (disabled already) with bot-like behavior. Last post was in 2012 but as we can see he still operates.
Twitter account connected toĀ email
With help of this tool and other semi-automatic techniques I was able to build network of this kind of websites including emails, records from whois (telephone numbers, address and others), IPs and domains (some of them are still running and sharing disturbing content).
Betabot case
Remember C2 server from my previous article? It were goog[.]com and onedriveservice[.]com. Letās find out how it looks like on the graph
Graph for goog[.]com
Here we started from goog[.]com domain. Script found associated IP and one email address, which next is associated with another domains. At the end we can spot that āyahoo.comā address is connected to ā.comā email, which then is related to our initial domain goog[.]com.
Graph for onedriveservice[.]com looks like this, we can see it was hosted on 185.106.120[.]202 and this IP is linked to other malicious domains like fakeavhelp[.]website or other weird looking TLD domains.
Scams everywhere
Spamming campaigns, fake tech supports sites or various other scams have to be hosted somewhere and under some names and emails. I read article about fximperium[.]net case, which originally was posted on one of the polish security sites. Half of the work can be automated here, graph below presents results for domain fximperium[.]net
Graph for fximperium[.]net
It is connected to email address gabriel[at]fximperium.com and we found another domain associated with this particular email.
If you need more information like address, surname or other associated domains, you can always reach Kibana. You just need to choose o module (on the left) and then provide your query.
Reverse whois module inĀ Kibana
Of course if you donāt have Elasticsearch in place, you can read JSON files, which are created for every checked resource. Example check for module Whois history for fximperium[.]biz.
JSON output
https://github.com/woj-ciech/Danger-zone
Conclusion
Based on above cases, you saw how easy and fast mapping infrastructure and tracking individuals can be. You can also discover some new leads like historical data from Whois and connect it to new email addresses. This tool can be part of bigger cases as well as separate small tries to identify new potential leads or uncover malicious actors in Internet.