Monday, December 18, 2023

Protecting the perimeter with VT Intelligence - malicious URLs

Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here.
One of the main attacking vectors attackers use for credential theft and malware deployment are malicious link-based attacks leveraging impersonated websites or distributing malware. By studying malicious campaigns, defenders can learn attacker tactics and refine their defensive arsenal. They can also use suspicious URLs preemptively, updating deny lists and searching for any suspicious internal or perimetral activity.
VT Intelligence provides a powerful toolset for this mission and can be used to improve URL filtering in your firewalls. Now, we will dive into a series of VT queries progressively increasing their complexity, and dissect the added modifiers for each step. Feel free to experiment and refine these examples to build your own customized queries.

To begin, we will start by searching for URLs (“entity:url”) categorized as phishing according to the content category of its domain (“category:phishing”) or labeled as phishing by AntiVirus engines (“engines:phishing”). We will use the “p” modifier (“p” is short for “positives”, referring to the number of engines detections) to discard benign URLs. In this case, we want URLs with more than 15 detections to avoid false positives, however this is completely at your discretion. Finally, we will look for URLs first seen (“fs” as short for first submission) in the last 7 days (7d+).

The following query hunts new malicious URLs submitted to VirusTotal in the last 7 days distributing Microsoft document or PDF files (“tag:downloads-doc or tag:downloads-pdf”). We use the “p” modifier to search for URLs with a high number of detections (“p:15+”). Malicious URLs used for phishing are likely to distribute this kind of files to compromise the victim's system.

Finally, we will hunt URLs impersonating a corporate service provider, such as Office365. We will use the “url” modifier to match substrings contained in the URL string (“url:office365”). In this scenario, we want to find URLs used by attackers to impersonate Office 365 built using Wordpress (“path:wp-content”), and filter the ones with at least 5 detections (“p:5+”). This kind of malicious URLs impersonate legitimate service providers and commonly redirect users to another location after providing their credentials, typically the legitimate site to avoid suspicion. We will check for this behaviour with the “have:redirects_to” modifier.

You can learn more about URL search modifiers in the documentation.
As always, we would like to hear from you.
Happy hunting!


Post a Comment