BY MIKE SAURBAUGH AND GEOFF SINGER
Visualize Phishing Relationships with PhishMe Intelligence™ and Maltego
Fishing (without the “P”) is not a lot of fun when you just drop a line in the water and hope for the best. When fishermen want to see where the fish are, they look to the fish finder on the bridge to “look underwater” to find schools of fish. Similarly, when an analyst is looking to “catch” a phishing campaign, correlating the attacker’s campaigns and their payloads can benefit by being able to visually graph and link phishing threats. PhishMe Intelligence combined with Maltego can deliver the “phish finder” that an analyst needs.
The key to Phishing Attack Investigations? Intelligence.
Maltego, is an application that is used by analysts to gather, interrogate and visualize data in order to find relationships. PhishMe Intelligence is a service that provides human-verified, timely, and accurate phishing-specific threat intelligence for security analysts. PhishMe® has developed “transforms” for Maltego to visualize relationships between observables within a specific attack and explicitly pinpoint how attackers are delivering their malicious payloads. By combining multiple sources of data, analysts can visualize attacks and uncover other threats that may be using similar phishing infrastructure and campaigns. It’s a cat-and-mouse game where time is of the essence.
It is obvious that ransomware has been gaining traction. Whether Locky or something newer like Jaff, they typically arrive via an email. Figure 1, below, shows an example of a phishing ransomware email from the FreeFax campaign:
Figure 1: FreeFax ransomware email message body
This email is a single data point and does not give an analyst may not have too much to work from. However, the sender domain (freefaxtoemail[.]net) is a valuable piece of information that can be used for more research. By using Maltego with PhishMe Intelligence and running a transform Sender Domain to Threat ID on freefaxtoemail[.net], it returns Threat ID 9850 (seen below in figure 2) from PhishMe Intelligence.
Figure 2: Links sender domain freefaxtoemail[.]net to Threat ID 9850
The Threat ID report can then be accessed within the Maltego graph to provide the analyst contextual information needed for additional investigation. As seen below in figure 3, the analyst can drill into Threat ID 9850 which details the relationship to the Locky ransomware campaign by using JSDropper for delivery.
Figure 3: Threat Report Summary
Context is vital to the security team. Knowing why a campaign and its indicators are malicious helps to answer the question, “what does this mean to our business risk”? The PhishMe Active Threat Report (Figure 3) provides the analyst an executive summary (along with email images in the campaign as shown above in figure 1).
Clicking the URL downloads a copy of a malicious JSDropper, used to download and execute a copy of Locky ransomware. Once Locky is run on the victim’s computer, the malware seeks out and encrypts a wide variety of files ranging from personal documents and images to mission-critical business files such as software source code and security certificates
The next step in the investigation is determining indicators associated with the Threat ID. This is done by running Threat ID to IP transform (figure 4), which performs the discovery. The results of running this transform uncovers 51 unique IP addresses, with one of the addresses assigned a Major impact rating.
Figure 4: Threat ID to IP transform
Notice the red bookmark icon next to the IP address 185[.]67[.]2[.]156
The impact rating associated with this IP address takes the guesswork out of the decision an analyst needs to make and focuses the attention on the indicators in the campaign that need to be operationalized from a defensive perspective.
But we’re not done, yet. What if there are additional Threat IDs that share the IP address with a major impact ratining? This scenario is highly likely knowing that attackers may host their ‘wares in disparate locations.
Using Maltego, analysts can execute the IP Addresss to Threat ID transform (figure 4) to uncover other Threat IDs that have other IOCs all stemming from a similar goal. Notice it results in two additional Threat IDs (9854 and 9855), respectively.
Figure 5: IP Addresss to Threat ID transform
Threat IDs 9854 and 9855 will each have their own unique set of IOCs, yet share one C2 address and paysite!
Phish finder – Through Murky Water to ‘Net the Big One
A picture (or graph) can speak louder than words. As shown in figure 5, PhishMe Intelligence, together with Maltego, visualizes data and enables analysts to prioritize mitigations and discover additional insight into overlapping phishing campaigns. We know that time is of the essence and analysts are spread too thin, so it’s important to cut-to-the-chase.
Figure 6: Graph created from running transforms
An analyst’s next steps are to apply mitigations, as well as hunt for potential compromise associated with 185[.]67[.]2[.]156 – this is the C2 and TOR paysite! Locate any current connects to or from this IP and determine what, if any, hosts, have connected to this C2 site.
One parting comment before heading back to shore… even though this phishing attack goal was to deliver Locky; each attempt used a different delivery technique that provides valuable insight into threat actor TTPs.
To learn more about the Maltego, visit the commercial transform hub: https://www.paterva.com/web7/about/hub.php .
To learn more about the PhishMe Intelligence, visit: http://cofense.com/product-services/phishing-intelligence/.