Analyzing a malicious site
Nowadays it is crucial to know how to identify a malicious website from an official site, this is increasingly difficult due to the hard work that fraudulent sites have behind.
In this writing we are going to analyze some malicious sites that are dedicated to spreading malware for mobile devices and PCs.
What is a malicious website?
A malicious link is a seemingly reliable ‘link’ that, when clicking on it, redirects to a fake website that imitates being a legitimate official website. Once the user believes they are browsing a trusted website, they could enter personal data such as their email, passwords and even bank details.
Malicious links are often received in email messages asking the user to click on a ‘link’. With this method, on many occasions, instead of asking the user for personal data, they get the victim to install some type of ‘malware’ on their device.
https://www.bbva.com/es/que-son-los-enlaces-maliciosos-y-como-protegerse-ante-esta-amenaza/
The first site that we are going to analyze is:
When entering via PC, we find the following:
When entering with a cell phone, in this case an android, we find the following:
To begin the analysis, I will first recommend 2 websites that I use a lot for this type of case:
VirusTotal
UrlScan
With the recommended sites we can analyze websites to see if there is already a record of them, find out if any malicious activity related to them is found, we can also scan files to see if they are a kind of malware.
Previously I had already searched for this page so there is already a record of it:
As can be seen in the result, there were 3 results that marked it as suspicious and 1 result that directly detected it as phishing.
The result of UrlScan:
In the urlscan result we realize that we are redirected to another malicious website.
After entering the website from a computer, which in this case I am using windows 10, it automatically downloads a .zip file, which I already have in virustotal and this is the result:
Inside that .zip, we find 2 files, which are also already in the virustotal database:
The first file, named “_610507152.exe” is detected 16 times as malware.
The second does not seem to be detected in any way and it appears to be a “reliable” file… .. but if we realize it and analyze a little more we can see that in the community section it has some comments:
El usuario comparte lo siguiente:
YARA Signature Match — THOR APT Scanner
RULE: SUSP_NET_NAME_ConfuserEx
RULE_SET: Livehunt — Suspicious1 Indicators 🏹
RULE_TYPE: Community 👥
RULE_LINK: https://valhalla.nextron-systems.com/info/rule/SUSP_NET_NAME_ConfuserEx
DESCRIPTION: Detects ConfuserEx packed file
REFERENCE: https://github.com/yck1509/ConfuserEx
RULE_AUTHOR: Arnim Rupp🙌 Hey, this seems to be an open-source tool or framework. The author has shared it with the community with the intention to improve overall security. If you are a victim and noticed this tool in a breach, please visit the tool’s github page (see above) and tell your story by creating an issue on the issues page: https://github.com/yck1509/ConfuserEx/issues 💖.
Detection Timestamp: 2021–02–16 18:58
AV Detection Ratio: 🔴 0 / 70Use these tags to search for similar matches: #net #name #confuserex #susp_net_name_confuserex #open_source_tool
More information: https://www.nextron-systems.com/notes-on-virustotal-matches/
Apparently this user recognized this file and gives the notice that this program is part of a framework.
On the other hand, when entering as an android user, an .apk file is downloaded, which is recognized as malware for android.
Now, how do we make sure that we don’t have malware on our android?
- You see ads all the time, regardless of what app you are using.
- You install an app and then the icon disappears immediately.
- Your battery drains much faster than usual.
- You see apps that you don’t recognize on your phone.
These are all worrying signs that mean you need to investigate further.
For my part it is all up to this moment. Now it’s your turn..
