The article examines their most notorious campaigns, including phishing related to election fraud, the Covid-19 pandemic, and the Charming Kitten attack series.
481 
Phishing attacks are one of the most common cyber threats aimed at stealing users’ confidential information and financial resources. Criminals send emails that mimic legitimate messages from well-known companies or institutions, tricking recipients into revealing personal information or clicking on malicious links.
To identify cybercriminals, you should pay attention to such signs as IP addresses and domains used in attacks. These are known as indicators of compromise (IOC), a term that will be discussed in more detail later.
Information about IOCs can be found using specialized tools that contain data on hacking activities, cybercrimes, and the results of previous investigations. One of the examples discussed will show a situation where a certain IOC repeatedly appeared in investigations of various attacks associated with a specific hacking group.
Analyzing a suspicious file through Any.Run allows you to determine whether it contains a threat, as well as find the corresponding IOCs. Additionally, we will consider what IOCs are and how they are investigated.
We will also show how to search for reports and copies of malicious files used in criminal operations through open databases.
Phishing attempts often involve sending a file of some kind in the hope that the recipient will click on it. These files can actually be scanned for threats or information that reveals the sender. Surprisingly, this task does not require in-depth knowledge of cybersecurity. All you need is a tool like Any.Run, which we will review here.
ANY.RUN is what’s known as an interactive online malware sandbox, essentially a virtual computer system that duplicates the functionality of a real device. The platform allows cybersecurity professionals to safely run and thoroughly test malware without risking harm to their hardware or network.
Safe environment: A sandbox is a completely isolated virtual space that ensures that any malware cannot affect the underlying host system or network. It’s like observing bacteria under a microscope—completely discreet and safe.
Real-time analysis: Platforms like ANY.RUN provide real-time interaction with malware, which is critical because many types of malware only reveal their true behavior when they interact with a user, such as opening a document or clicking a link.
Direct observation: Analysts have the ability to directly interact with malware by triggering its functions by mimicking user actions such as clicking, entering data, or opening files. This direct observation helps analysts see exactly how the malware behaves in real time.
Comprehensive reporting: As malware runs, the sandbox meticulously logs its actions, from network attempts to system changes and file actions. These detailed reports are crucial for understanding malware tactics and developing effective countermeasures.
Using ANY.RUN to safely open a malicious document When you upload a malicious document to ANY.RUN, the sandbox simulates what would happen if the document were opened under normal circumstances:
Document Execution: The document is activated in a virtual environment, running any embedded scripts or code.
Action Monitoring: The platform monitors the behavior of the document, noting any attempts to access the Internet, connections to control servers, or activation of additional malware.
User Interaction: Analysts can simulate typical user interactions, such as enabling macros or clicking on document links, to observe any resulting behavior.
Security Protocols: During this process, ANY.RUN maintains strict isolation protocols to prevent malware from infiltrating real systems.
When analyzing a file you receive in person, you should exercise caution, especially when moving it from email to Any.Run. It is safest to entrust this process to a cybersecurity professional. If you decide to analyze it yourself, the minimum security measure is to open the email in a virtual environment using a virtual browser. While this does not guarantee complete protection, this approach significantly reduces the risks.
One option for safer web exploration is Browser.lol. This platform provides virtual web computers with virtual browsers that provide an additional layer of isolation when opening emails and working with suspicious files. Although absolute security is not guaranteed, using Browser.lol helps minimize potential threats before downloading files for further analysis.
The basics of file analysis in Any.Run focus on finding important information that helps identify potential threats.
To get started, you need to go to the Any.Run platform. Creating an account is free, but you need to provide a “business email address” to register, i.e. one that does not use popular domains like Gmail or Yahoo.
Once you upload a file, Any.Run will automatically start analyzing it. The scan status is displayed in the upper right corner of the page, indicating whether a threat was detected. The absence of warnings is not a guarantee of safety, as this is only the first stage of the investigation.
One of the key aspects of the analysis is the IOC tab, which stands for “Indicators of Compromise.” It contains data on possible malicious activity in the file, such as unusual IP addresses, suspicious file changes, or connections to known sources of malware.
Even without in-depth knowledge of cybersecurity, the IOC tab provides the necessary information to assess the level of threat. In the future, this section can help identify hackers involved in distributing a malicious file.
By analyzing these indicators, you can conclude whether the file is part of a phishing attack or malware distribution, which allows you to get closer to understanding its source and purpose.
In the example presented, the file is marked as containing suspicious activity. To obtain more detailed information, open the IOC tab and analyze the found indicators.
Here we see a list of the IOCs that have been identified, and if you hover over the symbols next to each IOC, you will get a short explanation of the estimated threat level.
You can also get metadata from the document. All PDF files have metadata, and this is listed in the Static Discovering section. To find this information, click on the file name.
And here we see metadata that shows that the document was created on March 10, 2021 using Microsoft Word 2016. In some cases, the PDF metadata will even show you the name of the person who created it. In this case, the author is identified as “PayPal Support,” which is inconsistent with the fact that the sender claimed to be from Netflix customer support.
Let’s close this window and look at the right side of the main page, here is a timeline of the processes that were running when the file was opened. We can see that the AcroRD32.exe process is causing concern.
Click on a process to open the detailed page below with a rating and warning. If you look at the new window, you will see that there is an “Additional Information” tab that you can click on to get even more information..
This opens a whole new page with a description of why it is considered suspicious.
Back to the main page. Notice that in the top left corner there is an image of what appeared in the virtual machine display window when the file was opened. There is a set of images in chronological order. Just hover your mouse over them to scroll through them. Here we see that the PDF is supposedly (but obviously not) from Netflix asking for your payment information.
We have one more area to look at. At the bottom left is the Threats tab.
Click the tab to view additional traffic indicators (initiated by the file) that may be signs of threats. An example would be that the file initiates a message to hackers saying “send malware here.”
This is a basic overview of how to scan a suspicious file with Any.Run
The key point here is that even if you have no knowledge in this domain, you can still see if a file has been identified as dangerous. There are other tools that you can use to analyze suspicious files, such as virustotal.com and hybrid-analysis.com
When dealing with cyber threats, intelligence gathering is about identifying and interpreting indicators of compromise (IOCs). These can include suspicious IP addresses, email information, file hashes, or URLs, and they provide important clues to understanding and mitigating the threat. This section will describe the basic tools and processes for investigating IOCs, tracking attackers, and assessing their capabilities.
One of the best resources for tracking malicious activity is Abuse.ch, a research project that helps cybersecurity professionals track malware and botnets. Hosted by the Institute for Cybersecurity and Engineering at the Bern University of Applied Sciences, Abuse.ch provides several platforms for monitoring and researching malware-related threats:
Malware Bazaar – a repository for sharing and searching for malware samples.
Feodo Tracker – monitors botnet command and control (C2) infrastructure, particularly those associated with known botnets such as Emotet, Dridex, and TrickBot.
Чорний список SSL – provides a blacklist of malicious SSL certificates and JA3/JA3S fingerprints to help identify suspicious SSL traffic.
URL Haus – tracks and shares information about sites that distribute malware.
Threat Fox — focuses on the IOC exchange, making it a valuable resource for identifying compromised domains, IP addresses, and other malicious data points.
These platforms offer a reliable starting point for identifying malicious objects. Whether you are looking for a botnet or trying to track down the infrastructure used in phishing campaigns, Abuse.ch can provide you with important information.
For URLs, tools like Level Blue Labs and URLScan.io allow you to check if a site is involved in phishing, malware distribution, or other malicious activities. By entering a suspicious URL, you can see the connections it makes and any scripts or redirects it uses. This can help you determine if a URL is dangerous before taking further action.
URL scanning also allows you to search for past scans (https://urlscan.io/search/), which in this case allows us to see what the results of URL scans were in 2021.
Also, watch out for shortened URLs (like “bit.ly4enla45c” or “tinyurl.com/4emdh45c”). There are several open-source tools to unshorten these URLs and reveal the true purpose of the domain (like unshorten.it, urlex.org, and checkshorturl.com).
When it comes to IP addresses, using the Cisco Talos Intelligence platform is an effective way to gather background information. Talos provides information about IP reputation, domain behavior, and any associated malicious activity. This is a valuable tool for understanding whether a particular IP address has been involved in previous cyberattacks.
To use a real-life example, in 2021, a cryptocurrency company was hacked, and the company released to the public a screenshot of a phishing email sent to the company before the attack.
From the screenshot, we know that the phishing document was titled “Pantera Capital Investment Agreement(Protected).docx” and that it was sent to the company in April 2021.
So, we want to find a file named “Pantera Capital Investment Agreement(Protected).docx” uploaded to ANY.RUN in 2021. Any.Run is a very popular tool used by cybersecurity professionals around the world, so it’s reasonable to expect that someone would use this tool to inspect such a file. As mentioned, Any.Run has public reports of its analyses going back many years.
To get started, log in to the ANY.RUN platform. If you don’t have an account, you’ll need to sign up for a free account.
Use the search feature to find the file by name, hash, or other identifiers. If the file was publicly available in the ANY.RUN community or sent non-confidentially, it should appear in their database. With this information, we open a malware analysis database, such as Any.Run, and use the general search function.
It appears that an unknown user submitted the document to Any.Run for analysis back in April 2021, and the website saved a version in its records database.
Open Any.Run’s report on the file. If we want to do this, we can also choose to have Any.Run reopen the file in the sandbox, but this is not necessary now, as the report contains all the necessary information.
We can immediately see that in one of the screenshots of the virtual desktop, opening the document launches Microsoft Word.
If you look closely, you will see that there is a message informing the user that Word is downloading something from the domain “download.azure-safe.com”.
The report shows that after the document was opened, the file made automatic requests to the following domains and IP addresses:
104.168.249.46
23.45.105.185
195.138.255.17
195.138.255.18
http://x1.c.lencr.org
http://r3.o.lencr.org
download.azure-safe.com
azure-drive.com
http://help.nflxext.com
Two domains use the word “Azure” in reference to Microsoft’s Azure cloud computing platform and are used to give the appearance of legitimacy. However, the domains are not actually owned by Microsoft.
The tool can provide automated analysis of general information or a specific process.
To explore automated document queries, select one of them and then click the small button on the right labeled “ChatGPT” to have ChatGPT provide analysis and explanations.
ChatGPT analyzed an HTTP Get request to the URL “r3.o.lencr.org”
The analysis report essentially states that this process could be part of a harmless file’s processes, but it could also be used for malicious purposes.
But there is an aspect of the report that stands out. Specifically, the process used “encoded URLs.” You don’t have to understand what “encoded URLs” means, as the report explains why it’s relevant. The report states that this process is used to send and receive encoded data to and from a remote server. In other words, once the file is opened on someone’s computer, it starts communicating with someone/something on the Internet.
The report explains that such a process can be used to hide malicious activities, such as stealing data from a computer or communicating with a remote attacker and downloading malware onto the computer.
This rating means that it is very important for researchers to investigate these URLs, domains, and IP addresses.
To explore Ips and domains, let’s go through one example. We can use the tool https://otx.alienvault.com/
We use the basic search function and search for “195.138.255.18”, which returns the following information:
We see two hits. The first is a page with information about analyzing the IP address itself. The second hit is designed to analyze the malicious file that is associated with the IP.
IP analysis:
The second hit shows that the IP address was listed in the malicious file report.
Notice that at the top you see a string of characters under the heading “FILEHASH”. Without going into what a hash actually is, it’s worth knowing that it’s a unique identifier for a file, so you can look it up here and elsewhere.
It’s clear that a few years ago, a malicious document was making automated calls to the same IP address. So this is a clear indication of malicious activity. But we’re not interested in the what, but rather the who. Going to our IOC list, we use the same tool to search for the domain “Azure-drive.com.” The result we get from OTX lays out our answer clearly.
The domain was reportedly used by North Korean hackers known as the Lazarus Group to steal cryptocurrency.
https://otx.alienvault.com/indicator/file/709ec9fbbc3c37ccd39758527c332b84
Let’s take a look. We investigated the crypto address and found that it was linked to the hack. A copy of the malicious file used by the hackers revealed that the attackers were the Lazarus Group.
We also see that the website provides us with various hashes related to the document, these are useful if you want to search for information about the file securely. You can copy and paste the hashes into a keyword search.
Using this hash, we can safely search for the file in other tools, such as Virus Total, and we see that the identical file has been flagged by 29 security vendors.
https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection/
The Virus Total results page also showed a link to a documented vulnerability. The vulnerability is designated as CVE-2017-0199 in the Common Vulnerabilities and Exposures (CVE) system.
This vulnerability can be exploited via a specially crafted Microsoft Office document, which allows remote attackers to execute arbitrary code on a victim’s computer.
For more information, CVEs can be found on websites such as cve.org. Googling the CVE number brings up an article stating that this CVE has been used repeatedly by the Lazarus Group to steal cryptocurrency.
At its core, investigating phishing attacks comes down to understanding the indicators and using the right tools to spot malicious activity. By using platforms like Any.Run and diving into IOCs, even those without deep cybersecurity knowledge can uncover key details. Whether it’s identifying suspicious IP addresses or analyzing files associated with hacks, these techniques give investigators the ability to track down the sources of attacks. The more you practice and refine your approach, the faster you’ll be able to spot patterns and identify criminals in future investigations.
481 
228 
1040