Twin Trouble: Geodo Malware URL-Based Campaigns Use Two URL Classes

Part 2 of 3

As discussed in our prior blog post, URL-based campaigns – that is, campaigns that deliver messages which contain URLs to download weaponised Office documents – are by far the most prevalent payload mechanism employed by Geodo. Indeed, analysis of ~612K messages shows just 7300 have attachments; a trifling 1.2% of the total. The structure of the URLs falls into two distinct classes. Cofense Intelligence™ analysed a corpus of 90,000 URLs and identified 165 unique URL paths. There are two distinct classes of URLs employed by Geodo. A detailed breakdown of these URL structures follows. 

Class 1

This class consists of path segments adhering to somewhat consistent structures, but in arbitrary order, and of arbitrary length. Although, analysis suggests the number of segments does not exceed 5 or fall below 3. Some examples can be seen in Table 1.

Table 1: Example URL paths from the first class of URLs

Despite there being clear similarities to the human eye, describing such constructs accurately using a single regular expression is an impossible task. That being said, it’s possible to describe segments individually and string those descriptions together into multivariate descriptions.

Class 2

Class 2 is somewhat simpler than class 1 and is possibly more infamous. Consisting of three segments, with ISO country code-like strings in the centremost segment. The final segment is invariably 2-10 hyphen-delimited strings.

Table 2: Example URL paths from Class 2.

These paths are structured and can, therefore, be described with a regular expression:

/[^/]+/[A-Za-z]{2}(_[A-Za-z]{2})?/(?:[A-Za-z]+-){1,5}[A-Za-z]+

Note: although this regular expression consistently describes the structure of the data presented in Table 2, it should not be considered a univariate blocking rule.

Token analysis of the latest 1000 URLs delivered by the actors behind Geodo can be seen in Chart 1. These URLs were broken out into 2564 segments (or tokens), of which 1175 were non-unique, 1389 conformed to the structure presented in Class 1, above — /[A-Z]+\d+[A-Z]+/.

Chart 1: A breakdown of the top 10 URL tokens extracted from the 1000 most recently observed URLs. Note that 5 of the top 10 conform to the structure identified here.

Next week, part 3 of this series will examine how recent Geodo campaign make sue of heavily obfuscated macros.

To stay on top of the latest malware and phishing threats, sign up for free Cofense Threats Alerts.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.

Recent Geodo Malware Campaigns Feature Heavily Obfuscated Macros
Phishing-Specific SOAR Gets You to Mitigation Faster

Leave a Reply