InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties…

Follow publication

Analyzing a malicious site

Nowadays it is crucial to know how to identify a malicious website from an official site, this is increasingly difficult due to the hard work that fraudulent sites have behind.

In this writing we are going to analyze some malicious sites that are dedicated to spreading malware for mobile devices and PCs.

What is a malicious website?

A malicious link is a seemingly reliable ‘link’ that, when clicking on it, redirects to a fake website that imitates being a legitimate official website. Once the user believes they are browsing a trusted website, they could enter personal data such as their email, passwords and even bank details.

Malicious links are often received in email messages asking the user to click on a ‘link’. With this method, on many occasions, instead of asking the user for personal data, they get the victim to install some type of ‘malware’ on their device.

https://www.bbva.com/es/que-son-los-enlaces-maliciosos-y-como-protegerse-ante-esta-amenaza/

The first site that we are going to analyze is:

https://xlongliveapkx.com/OMrSXb37a2f8a53f274cbc9fe68067364da5c53cc70ca?q=9&s1=9&s3=wqbmrlpn1jdkgb36i14et5u0

When entering via PC, we find the following:

When entering with a cell phone, in this case an android, we find the following:

To begin the analysis, I will first recommend 2 websites that I use a lot for this type of case:

VirusTotal

UrlScan

With the recommended sites we can analyze websites to see if there is already a record of them, find out if any malicious activity related to them is found, we can also scan files to see if they are a kind of malware.

Previously I had already searched for this page so there is already a record of it:

As can be seen in the result, there were 3 results that marked it as suspicious and 1 result that directly detected it as phishing.

The result of UrlScan:

In the urlscan result we realize that we are redirected to another malicious website.

After entering the website from a computer, which in this case I am using windows 10, it automatically downloads a .zip file, which I already have in virustotal and this is the result:

Inside that .zip, we find 2 files, which are also already in the virustotal database:

The first file, named “_610507152.exe” is detected 16 times as malware.

The second does not seem to be detected in any way and it appears to be a “reliable” file… .. but if we realize it and analyze a little more we can see that in the community section it has some comments:

El usuario comparte lo siguiente:

YARA Signature Match — THOR APT Scanner

RULE: SUSP_NET_NAME_ConfuserEx
RULE_SET: Livehunt — Suspicious1 Indicators 🏹
RULE_TYPE: Community 👥
RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_NET_NAME_ConfuserEx
DESCRIPTION: Detects ConfuserEx packed file
REFERENCE: https://github.com/yck1509/ConfuserEx
RULE_AUTHOR: Arnim Rupp

🙌 Hey, this seems to be an open-source tool or framework. The author has shared it with the community with the intention to improve overall security. If you are a victim and noticed this tool in a breach, please visit the tool’s github page (see above) and tell your story by creating an issue on the issues page: https://github.com/yck1509/ConfuserEx/issues 💖.

Detection Timestamp: 2021–02–16 18:58
AV Detection Ratio: 🔴 0 / 70

Use these tags to search for similar matches: #net #name #confuserex #susp_net_name_confuserex #open_source_tool
More information: https://www.nextron-systems.com/notes-on-virustotal-matches/

thor

Apparently this user recognized this file and gives the notice that this program is part of a framework.

On the other hand, when entering as an android user, an .apk file is downloaded, which is recognized as malware for android.

Now, how do we make sure that we don’t have malware on our android?

  • You see ads all the time, regardless of what app you are using.
  • You install an app and then the icon disappears immediately.
  • Your battery drains much faster than usual.
  • You see apps that you don’t recognize on your phone.

These are all worrying signs that mean you need to investigate further.

For my part it is all up to this moment. Now it’s your turn..

Have you come across a page of this type?

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

Written by _Y000_

Hola, Bienvenido a mi perfil de Medium! Soy Y000! 😊 ¿Quién soy? 🤔 Bueno… soy yo jaja soy solo un apasionado por la seguridad informatica.

Responses (2)

Write a response