Passive DNS For Phishing Link Analysis

by Prapattimynk, Monday, 1 April 2024 (2 weeks ago)
Passive DNS For Phishing Link Analysis


In this blog we will identify 36 Latrodectus phishing domains through passive DNS analysis of a domain reported on Twitter/X.

The initial reported domain leverages 302 redirects to send users to a malicious or benign file. The URL present in the 302 redirect is re-used across numerous domains and we can leverage this information to identify additional infrastructure.

In summary, we will use the following indicators to identify the additional servers

  • Same resolved IP address 193.106.174[.]218
  • Same usage of 302 redirects to the same URL on documentcloud[.]org
  • Previous usage of 302 redirects to harvardlawreview[.]org

The primary tooling we will be leveraging is Validin.

Validin

Validin offers cutting-edge DNS, certificate, and crawling data services to empower threat researchers and corporate security teams. Identify, track, and mitigate risks with our advanced threat intelligence solutions.

Initial Intelligence

The initial intelligence in this blog is from a tweet posted by @Unit42_intel.

The tweet details a Latrodectus infection leveraging phishing links to redirect victims to a javascript file which ultimately loads LummaStealer Malware.

Within the original tweet, there is a screenshot of a phishing link contained in an email. This link contains the domain lufyfeo[.]org, which will form the basis and starting point of our analysis today.

Our goal will be to analyse this domain to identify any patterns or indicators that can identify additional domains and IOC’s.

Initial Notes

Based on information contained in the initial post, the lufyfeo[.]org domain is likely leveraging redirects to send a victim to alternate “fake” pages.

This information will form an important step in our next analysis, as we will leverage patterns in the 302 redirects to identify additional domains.