# 100 more behind
 cockroaches?

#### or how to hunt IoCs with OSINT

## Hiroaki Ogawa & Manabu Niseki


-----

#### Before Starting



###### ● English version is available for non-native Japanese folks :D


-----

## “For every cockroach you see there
 are 100 more behind the walls”


-----

## Does it apply to cyber threats?


-----

## YES


-----

## We have to install traps!


-----

#### Tracking Fingerprints



###### ● Attackers are good friends with bad habits.

 ○ Reusing infrastructures
 ○ Reusing components
 ○ Reusing SSL certificates
 ○ Reusing SSH host keys
 ● Reusing something increases a possibility of tracking.

 ○ Let’s say it's a fingerprint of an attacker.
 ○ You can track him down based on his fingerprint.


-----

#### Fingerprints on the Internet


-----

#### Methodologies



###### ● Domain fuzzing
 ● Passive DNS
 ● HTTP fingerprint
 ● SSH host key fingerprint
 ● Certificate Transparency
 ● IoC feeds aggregation
 ● YARA


-----

## Domain Fuzzing


-----

#### Domain Fuzzing



###### ● Techniques to find typosquatting domains.

 ○ Converting 1 to 2 or q. (See your QWERTY keyboard)
 ○ Converting a to à, á, â, ã, ä, å, ɑ, ạ, ǎ, ă, ȧ or ą.
 ○ Converting a vowel(a, e, i, o or u) to another vowel.

 ■ e.g. example.com

 ● axample.com, ixample.com, oxample.com, uxample.com, ...
 ○ etc.
 ● Domain fuzzing is useful for finding similar domains.


-----

## Domain Fuzzing:
 MoqHao


-----

#### MoqHao



###### ● An Android malware.
 ● It uses DGA like domains.


### ysu3g.xyz

 hs3dg.xyz

 Nsi3h.xyz


### /[a z][a z][a z0 9][a z0 9][a z]\ xyz/


-----

#### MoqHao



###### ● How to do domain fuzzing for finding MoqHao hosts.

 ○ Write your own script. 😉

 ■ https://gist.github.com/ninoseki/8c3b9dd54506691c105c629cd3aa284e
 ○ Use dnstwist.


-----

## Certificate Transparency


-----

#### Certificate Transparency



###### ● Certificate Transparency enables to monitor HTTPS websites.

 ○ http://www.certificate-transparency.org/
 ○ Roughly speaking, Certificate Transparency gives you newly domains for free.
 ● Useful services/tools:

 ○ CertStream

 ■ https://certstream.calidog.io/
 ■ Near real-time certificate transparency log update stream.
 ○ Phishing Catcher

 ■ https://github.com/x0rz/phishing_catcher
 ■ Phishing catcher using Certstream
 ○ urlscan.io certstream-suspicious feed

 ■ https://urlscan.io/search/#task.source%3Acertstream-suspicious


-----

## Certificate Transparency:
 16shop


-----

#### 16shop



###### ● An Indonesian phishing kit targeting Apple and Amazon users.

 ○ Akamai says 16shop is “a highly sophisticated phishing kit.”.

 ■ https://blogs.akamai.com/sitr/2019/05/16shop-commercial-phishing-kit-has-a- hidden-backdoor.html
 ○ C2:

 ■ 128.199.154.155 / 167.99.79.91


-----

#### 16shop



###### ● Does 16shop use HTTPS?

 ○ Yes.

 ■ https://account-alertautorizher.com
 ■ https://amazon.legal-privacy-comercial.com
 ■ https://appleid.apple.com.accountt-updates.reviews
 ■ https://applesecurityapp.hopto.org
 ■ https://applid.manage-account.information.terdjasilagi.com
 ■ https://apps-amazon.co.jp-logsrvaslo29s.info
 ■ https://bublewrap-tcoapple-api.ddnslive.com
 ■ https://id.amazon.corn.idmsa-authsighin-verify.pakistanapimn.com
 ■ https://mails-amazon.us
 ■ etc.


-----

#### 16shop



###### ● Analyzing occurrences of words in 6,500+ 16shop domains.


-----

#### 16shop


-----

#### 16shop



###### ● If a CN in a CT log contains common 16shop words, it might be a 16shop website.
 ● You can check whether it is 16shop or not by checking an HTTP response hash of /admin/index.php

 ○ 16shop Apple version.

 ■ 0e06d02dab03e8085b18ebedb0f54dc68508c40c5d1b8c6e3e8da98e3d3b6649
 ■ ce4fe392dd0f996923c5cf272d98e1e2778a2a44ffb2a4435fdb9c13665215f3
 ○ 16shop Amazon version.

 ■ 2edfff035a357aec4cea23057ea2e10af1dd3431713c904cf1cd804640bd2965


-----

#### Omake: Bizarre Domains



###### ● manage.unauthorized.login.amazon.co.jp.omachikudasai.com
 ● xn--id-zb4axila5esc1e1f9bvhzd4a6fe.manage-konohajp.tokyo(アップルジャパ ンのログインid.manage-konohajp.tokyo)
 ● youji-kyoiku.com


-----

## HTTP fingerprint


-----

## HTTP Fingerprint:
 Predator The Thief


-----

#### Predator The Thief



###### ● A stealer malware.
 ● @fumik0_ published a detailed report about Predator The Thief.

 ○ https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/
 ● Predator The Thief C2 returns a static HTTP response.


-----

#### Predator The Thief



###### ● “A static HTTP response” means it always returns same HTTP response.

 ○ It can be used as a fingerprint.
 ● Queries for Predator The Thief C2:

 ○ Censys(SHA256):

 ■ b064187ebdc51721708ad98cd89dacc346017cb0fb0457d530032d387f1ff20e
 ○ BinaryEdge(SHA256):

 ■ b064187ebdc51721708ad98cd89dacc346017cb0fb0457d530032d387f1ff20e
 ○ Shodan(MurmurHash3):

 ■ http.html_hash:-1467534799


-----

## HTTP Fingerprint:
 PANDA


-----

#### PANDA



###### ● PANDA is used by ShadowVoice.

 ○ FSI published a report about ShadowVoice in BlackHat Asia 2019.
 ○ https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Jang-When-Voice-Phishing-M et-Malicious-Android-App-updated.pdf
 ● HTTP response of PANDA is not static.



###### ○ Because it uses an absolute path to load a resource.


-----

#### PANDA



###### ● So the hash value matching doesn’t work.
 ● Instead of the hash value matching, you can use another techniques.

 ○ Free text, favicon hash, etc.
 ● Queries for PANDA C2:

 ○ Censys:

 ■ ("PANDA" AND "SMAdmin" AND "layui")
 ○ BinaryEdge:

 ■ ("PANDA" AND "SMAdmin" AND "layui")
 ○ Shodan:

 ■ http.favicon.hash:-633986505 http.title:PANDA


-----

## SSH Host Key Fingerprint


-----

## SSH Host Key Fingerprint: Fake Tokyo Public Prosecutors Office


-----

#### Fake Tokyo Public Prosecutors Office



###### ● A scam impersonating the Tokyo Public Prosecutors Office.

 ○ A kind of fraud.
 ● Hosts of fake websites reuse same SSH host key.
 ● Queries for fake hosts:

 ○ Censys(SHA256):

 ■ 8e60fb30fb9a268b90a3d5af984c9326d3568a2554fc7ae5bfab1eb621c15518
 ○ BinaryEdge(MD5):

 ■ "f2:03:78:e5:a3:bb:50:6b:32:be:22:ad:52:3e:cc:98"
 ○ Shodan(MD5):

 ■ f2:03:78:e5:a3:bb:50:6b:32:be:22:ad:52:3e:cc:98
 ● Credit to @tiketiketikeke and @catnap707


###### htt //tik h t bl / t /2018/07/03/004132


-----

## IoC Feeds Aggregation


-----

#### IoC Feeds



###### ● URLhaus: https://urlhaus.abuse.ch/

 ○ Malware URL exchange by abuse.ch.
 ○ Sources:

 ■ abuse.ch, individuals, etc.
 ● IOC-DB: https://labs.inquest.net/iocdb

 ○ Indicator of Compromise database by InQuest.
 ○ Sources:

 ■ Twitter, GitHub and blogs. 
 ● Twitter IOC Hunter: http://tweettioc.com/#

 ○ Twitter based IoC database/feed by @fatihsirinnnn.
 ○ Sources:



###### ■ Twitter


-----

## IoC Aggregation:
 Emotet


-----

#### Emotet IoC Feeds



###### ● URLhaus:


-----

#### Emotet IoC Feeds



###### ● IOC-DB:



###### ● IOC-DB:


-----

#### Emotet IoC Feeds



###### ● Twitter IOC Hunter:


###### Twitter IOC Hunter:


-----

## YARA


-----

#### YARA



###### ● YARA is a tool aimed at helping malware researchers to identify and classify malware samples.
 ● With YARA, it could catch files that has same strings or binaries from a large number of files and could be grouping these files.


-----

#### Where can we use YARA?



###### ● Online services

 ○ Hybrid Analysis

 ■ https://www.hybrid-analysis.com/
 ○ VirusTotal Hunting

 ■ https://www.virustotal.com/gui/hunting-overview
 ○ Malpedia

 ■ https://malpedia.caad.fkie.fraunhofer.de/ (Invitation only)
 ○ Koodous

 ■ https://koodous.com/ (Android malware only)
 ● YARA command line tool

 ■ https://virustotal.github.io/yara/


-----

#### YARA: MoqHao


-----

#### Fake Sagawa Express Mobile Application (MoqHao)



###### ● Fake mobile app is used in a SMiShing campaign which impersonates Sagawa Express. The fake mobile app is malware called MoqHao.
 ● Here is a YARA rule for fake Sagawa Express mobile app.

##### Set it to the VT hunting


-----

#### Results of VT Hunting with a YARA rule for MoqHao


###### YARA could catch variants of MoqHao. We could know other target brands of MoqHao automatically.


###### Fake Econt Express

 Fake Fedex

 Fake Sagawa Express

 Fake DHL

 Fake Sagawa Express


-----

#### YARA: Emotet


-----

#### Emotet



###### ● There are ridiculous characteristics strings in the Emotet :).

 Create a YARA rule by characteristics strings 

MD5:f8105a0e4af7d61006e5e3974710daf3


###### characteristics strings in the Emotet :).

 Create a YARA rule by characteristics strings 


-----

##### Search result of Hybrid Analysis with YARA rule for Emotet



###### ● There are 38 samples in Hybrid Analysis.
 ● These variants had been used from 16/Dec/2019 to 17/Dec/2019.


###### Considerations:

 ● Hybrid Analysis.
 ●
 17/Dec/2019.


-----

## Automation


-----

#### Automation



###### ● Why automation is so important:

 ○ Automation reduces operating costs.
 ○ Automation reduces human errors.
 ○ Making something auto is interesting. 😉


-----

#### Automation



###### ● Apullo:

 ○ A tool for taking basic fingerprints of a target.
 ○ https://github.com/ninoseki/apullo
 ● Mihari:

 ○ A monitoring tool leveraging Shodan, Censys, BinaryEdge and etc.
 ○ https://github.com/ninoseki/mihari
 ● InQuest/ThreatIngestor:

 ○ A tool for extract and aggregate threat intelligence.
 ○ https://github.com/InQuest/ThreatIngestor


-----

#### Apullo



###### ● A tool for taking basic network fingerprints of a target (IP, domain or URL).

 ○ Hashes of an HTTP response body
 ○ Hashes of a favicon image
 ○ Hashes of an SSH host key
 ○ WHOIS
 ○ DNS records


-----

#### Mihari



###### ● It’s just a helper to make a query to a search engine and create an alert / event based on results.


-----

#### Mihari



###### ● Supported techniques:

 ○ Domain fuzzing:

 ■ dnstwister
 ○ Passive DNS:

 ■ SecurityTrails, PassiveTotal, VirusTotal, Pulsedive, CIRCL passive DNS
 ○ HTTP fingerprint:

 ■ Shodan, Censys, BinaryEdge, Onyphe, ZoomEye
 ○ SSH host key fingerprint:

 ■ Shodan, Censys, BinaryEdge
 ○ Certificate Transparency:

 ■ Crt.sh
 ● Demo


-----

#### ThreatIngestor



###### ● A deamon behind IOC-DB by InQuest.


-----

#### ThreatIngestor



###### ● Supported sources:

 ○ Git repositories, RSS feeds, Generic web pages, etc.
 ● Supported outputs:

 ○ CSV files, MISP, MySQL, SQLite, ThreatKB, etc.
 ● A powerful scraping feature powered by iocextract.

 ○ https://github.com/InQuest/python-iocextract
 ● A built-in (dead simple) Web UI.
 ● Demo


-----

#### ThreatIngestor


-----

## Conclusion


-----

#### Conclusion



###### ● An attacker leaves his fingerprint on site.

 ○ OSINT makes possible to trace him based on his fingerprint.
 ● Automation rocks!

 ○ Automation reduces human errors in investigation.
 ○ Automation provides a unified way of investigation.
 ○ Automation reduces operating costs.
 ● OSINT and automation enable to make an own intelligence for your organization.


-----

#### References



###### ● Shodan的http.favicon.hash语法详解与使用技巧

 ○ https://www.cnblogs.com/miaodaren/p/9177379.html
 ● The Evolution of XLoader and FakeSpy Two Interconnected Android Malware Families

 ○ https://documents.trendmicro.com/assets/pdf/wp-evolution-of-xloader-and-fakespy-two-interco nnected-android-malware-families.pdf
 ● Predator The Thief: In-depth analysis (v2.3.5)

 ○ https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/
 ● When Voice Phishing met Malicious Android App

 ○ https://i.blackhat.com/asia-19/Fri-March-29/bh-asia-Jang-When-Voice-Phishing-Met-Malicious- Android-App-updated.pdf
 ● 16SHOP: COMMERCIAL PHISHING KIT HAS A HIDDEN BACKDOOR



###### ○ https://blogs.akamai.com/sitr/2019/05/16shop-commercial-phishing-kit-has-a-hidden-backdoor .html 東京地方検察庁の偽サイトを使用した特殊詐欺に いて


-----

#### Image Sources



###### ● P1: https://www.pexels.com/photo/background-cockroach-shoes-601257/
 ● P3: https://pxhere.com/en/photo/1059154
 ● P4: https://www.flickr.com/photos/christiaancolen/20607150556
 ● P5: https://en.wikipedia.org/wiki/Success_Kid
 ● P6: https://www.flickr.com/photos/genista/246042481/
 ● P12: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/12/07085742/abstract-m obile.jpeg
 ● P36: https://www.bankinfosecurity.com/emotet-botnet-shows-signs-revival-a-12964


-----

|List: Tools/Services|Col2|Col3|
|---|---|---|
|Domain Fuzzing|||
|dnstwist|https://github.com/elceef/dnstwist|OSS|
|Certificate Transparency|||
|CertStream|https://certstream.calidog.io/|OSS|
|Phishing Catcher|https://github.com/x0rz/phishing_catcher|OSS|
|urlscan.io certstream-suspicious feed|https://urlscan.io/search/#task.source%3Acertstream-su spicious|Free service|
|HTTP Fingerprint / SSH Host Key Fingerprint|||
|Censys|https://censys.io/|Paid service(has free quota)|


BinaryEdge https://www.binaryedge.io/ Paid service(has free quota)


-----

|List: Tools/Services|Col2|Col3|
|---|---|---|
|IoC Feeds Aggregation|||
|urlhaus.abuse.ch|https://urlhaus.abuse.ch/|Free service|
|IOC-DB|https://labs.inquest.net/iocdb|Free service|
|Twitter IOC Hunter|http://tweettioc.com/#|Free service|
|YARA|||
|Hybrid Analysis|https://www.hybrid-analysis.com/|Paid service(has free quota)|
|VirusTotal Hunting|https://www.virustotal.com|Paid service|
|Automation|||
|Apullo|https://github.com/ninoseki/apullo|OSS|


Mihari https://github com/ninoseki/mihari OSS


-----