The news article “Hackers use fake media domains to trick North Korea researchers” by Nils Weisensee appeared in NKNews.org on December 17, 2020 and detailed a phishing campaign targeting analysts and researchers interested in North Korea. One of the indicators provided in the article provides a great example of how HYAS Insight can be used to map out adversary infrastructure and discover new domains and observables. This blog demonstrates how HYAS Insight provides data that cannot be found in public sources to preemptively identify adversary campaign infrastructure.
The messages referenced in the NKNews.org article came from two domains that appeared similar to Voice of America and Radio Free Asia and used a link in the body of the message to a domain that might appear similar to a Microsoft file sharing website.
The HYAS Intelligence Services research team took a look into the file sharing website and noticed that it is hosting a phishing page to steal usernames and passwords. The site was not available for very long and escaped being collected by many of the tools and services that researchers might use to understand the purpose. Although Virustotal shows a relationship to a downloaded exe file, the content of the file’s page in Virustotal reveals that it is actually an HTML landing page for an unconfigured web management console, so it isn’t surprising that the file didn’t result in any antivirus detections according to Virustotal.
In HYAS Insight, analysts can see that the domain has an additional name collected by passive DNS and that it was first observed on December 9, 2020.
In the domain’s registration details, analysts can find additional potentially related domains connected to the phone number and registration email address. The green row in the domain’s WHOIS results shows data that is unique to HYAS Insight and the black row shows the data as it would be seen in public information sources.
Pivoting on the registrant’s email address and phone number, analysts can find several potentially related domains that would not have been revealed using publicly available information. The registrant details are probably not valid but it really doesn’t matter since the person or organization that registered the domains consistently used the same registration information. These sorts of dubious domains can be filtered or blocked depending on your organization’s approach.
Maltego can be used to present the data according to linked relationships and allow analysts to pivot into other data sources like Virustotal, a Threat Intelligence Platform (TIP), or a log management service to see if these domains have been observed in the analyst’s environment. This graph uses recently updated Maltego transforms that make use of HYAS’ infrastructure information where the analyst pivots from the registrant’s email into additional registered domains. The domains were then searched in Virustotal to find additional helpful information.
This analysis is typical of how HYAS Insight users can take a single piece of incident data and learn about additional adversary infrastructure that could be preemptively blocked or filtered. This approach allows enterprise security teams to proactively prevent exploitation attempts without having to wait for IOCs to be observed, shared, and delivered to their security tools.