Cover photo

Backing Up a Scam: Making Sure Malicious Websites & Binaries can still be Studied

Even if a scam site goes down, it can still be at least partially looked into with this methodology.

Ephemeral Sites & Infrastructure

Ephemeral: lasting a very short time; short-lived; transitory:

The nature of malicious sites and infrastructure leads it to being inherently ephemeral. The sites are constantly being thrown up and taken down, in a game of cat and mouse; criminals vs. hosting providers and law enforcement. Every time a new site pops up, it might be configured differently, containing new tactics and techniques that the criminals are employing. The malicious binaries and JavaScript files on the sites that come back up might be different; configured differently, obfuscated differently, or just a new build which includes a new hash.

That's why it's so important to backup every portion of the process. We want to ensure that analysis can at least partially continue if the download gets removed or the site gets taken down. A lot of this can be done by hand, but why do that when there are tons of tools out there to make our jobs easier?

During local analysis of any binaries it can be handy to save other things as well (outside the scope of this post); these can be things like network traffic, dropped files, and much more. Keeping all of these things together enables gives you or any other researcher a strong the ability to retrace steps from the analysis.

Online Tools in Our Arsenal

Honorable mentions:

Make sure to create accounts for all of these as well! Not only will it make it a lot easier to track the things you've submitted or saved, it can also allow you have access to more features. A lot of these are 100% free as well, so if you get a lot of use out of them make sure to donate.


Methodology

Step 1 - Back the Site Up

Recently there was another piece of malware being distributed from the URL "https[://]r00m[.]io". The site hosts a piece of malware that is served to you once a valid browser is used, and it should serve a specific file depending on whether the OS of the user is MacOS or Windows. Interestingly enough, it will not serve malware to individuals using Edge, which I can only assume has something to do with Edge's SmartScreen being able to detect the malware. Enough about that though, let's get this site backed up.

URLScan

Navigate to URLScan and login with a valid account. Then take the above URL (without the brackets) and submit it for a public scan. We aren't doing anything for a business or handling any proprietary information, so I'd prefer this information be available to anyone who needs it. URLScan does a LOT more than just back the site up; it cuts the data up and organizes it cleanly for us.

As previously said, I like to lean towards open-sourcing and supporting the community as much as possible. This includes adding any extra information that you can to enrich the results of these sites. VirusTotal has the option to submit votes on the "maliciousness" of a site/file, and also the ability to leave comments. URLScan has this option as well. For each of my entries I include a blurb about the malicious subject and submit it, along with a VirusTotal link (if relevant). For URLScan, this can be found under "Verdicts" which is shown in the above screenshot on the far right. If there isn't a verdict present (button greyed out) then you'll have to submit one. If you just signed up, you won't be able to submit these for one month on URLScan.

URLScan is super handy because it backs up everything from the site, so you can grab things like JavaScript files, links, screenshots, and more. The other handy feature it has is that it indexes all of this information and lets you search through it, and it will also provide "similar" sites, which could lead to you discovering new sources of malware and gives you the ability to try and track that threat actor's activities.

WayBackMachine

Now that everything has been submitted to URLScan, let's hop over to the WayBackMachine and archive it there. I use this mainly as a backup to URLScan, as it is a little clunkier, but it still works great. Again, make sure to create an account!

Enter the site into the bar and select the button highlighted above. It will redirect you to another screen with some options to select.

Select the top four options and ensure the URL is correct before selecting the "Save Page" button. It might ask you to confirm your selection, then it may be a few minutes while it backs it up.

At this point you'll be able to find the resulting backup in "My web archives" under your profile, which can be observed in the above screenshot. Now the site is fully "backed up"!


Step 2 - Back the Malware Up

Recorded Future Triage

Navigate to the Recorded Future Triage site and go ahead and create an account if you haven't already. You can "Quick Submit" files from the main page, or you can go to "Submit" page to submit from a URL, which also supports analyzing websites.

Also, a cool feature I didn't even know existed until now is the ability to scan code. This is huge for web3/crypto because quite a few of the drainers that exist operate as malicious JavaScript, meaning they won't be a normal downloaded binary that is then executed on the system. Instead they leverage the browser environment that web3 has embraced and interact directly from the site with your wallet extension of choice in an attempt to drain it of its funds. While this feature isn't that useful right now (it failed to give an inferno drainer sample a rating above 3/10), I look forward to it hopefully improving in the future!

The previously mentioned URL has malware on it, so feel free to resubmit it throughout this walkthrough if you'd like and if it's still available. I went ahead and submitted the file contained within the ".dmg" file and it can be seen here. A 4/10 isn't as high as it should be for a file like this, but I suspect full execution probably wasn't reached due to the fact that the C2 server isn't being reached out to in the network requests section. Again, we can never fully rely on these automated sandboxes, but they can come in handy and provide some easy wins.

For example, here is some of the process activity:

Let's compare it with the strings output from the malicious file:

That definitely looks familiar! Even if the only thing these sandboxes provide is confirmation of something existing, I still see that as a win. Sadly this file is only rated as a 4/10 and its full potential isn't seen, but at least we get some information. This sandbox is handy as well because if you do have network traffic associated with the malware that you want to take a look at you can go ahead and download the PCAP file and check through it with a tool such as WireShark.

VirusTotal

Again, navigate to the site (VirusTotal) with a valid account. From the home page you can submit or search. When it comes to submissions these would normally be URLs/IPs or files, and when it comes to searches these can be things like hashes, URLs, IPs, etc. Go ahead and upload a piece of malware if you have it, or take a look at a submission like this one here. 20/66 is a great indicator of maliciousness (AKA super-duper definitely malware).

VirusTotal stores these files and allows people with subscriptions to download them, but with a free account at the very least you can vote and comment on samples and view the results of the analysis. Again, full execution is not observed as the C2 server isn't reached out to, but it still does provide a ton of useful information. A lot of this information is the same info that Triage provides, but some of it can differ or have extra information attached to it, so feel free to explore around and compare the differences between the two sites.

Another handy part of VirusTotal is collections. Collections allow users to create a list of IoCs that can then be referenced through the site and shared with others. A collection can be created on the home page of VT as seen here:

And here is an example of the collection I just created:

Then by navigating to the "Community" page of a URL/IP or sample you can observe the enrichment our efforts have provided.

GitHub

GitHub is handy for a ton of things; malware backups are not exactly what it was designed for. I have a repo I keep most of my samples and notes in, and they are each split into their own designated folder. I'll back them up whenever necessary, especially so if I'm wanting to link to some code in a blog post or share some IoCs/snippets. This is just another handy backup layer to have just in case. If for whatever reason I have a feeling something might disappear, I'll print-to-PDF it & also direct download the HTML/JS/etc. to the same folder as the malware, but I don't do this often.

Malware Bazaar

Malware Bazaar is another great place to host valid samples that you've found so that others can download them. Submitting your samples here directly contributes to the open-source community and is a net positive. Here is an example of me uploading a sample to the site:

And the final result can be found here:


Thanks for reading this far! If you have any suggestion or anything feel free to reach out.

Loading...
highlight
Collect this post to permanently own it.
alp1n3.eth logo
Subscribe to alp1n3.eth and never miss a post.
#malware#scam#methodology#web3