Illicit Brand Impersonation | A Threat Hunting Approach
Contents
|
|
Since the start of 2023, brand impersonation has become the center of many questions we receive from everyday network defenders. While at the start of the year we reported on the heavy spike in malicious Google search ads, the activity continues to this day across many platforms, and does not get as much attention as it deserves. Additionally, while tracking more capable and often state-sponsored threat actors, we continually observe brands being impersonated for illicit use, including credential phishing and malware delivery.
Consequently, organizations find themselves grappling with two critical challenges: first, identifying and thwarting illicit brand impersonation aimed at targeting them, and second, effectively safeguarding their networks and users. Security and threat researchers face a similar, albeit magnified, responsibility as they handle these concerns for numerous entities.
Let’s explore some examples of opportunistic and targeted threat actors impersonating trusted brands and how security researchers can make use of new tooling for …
|
Since the start of 2023, brand impersonation has become the center of many questions we receive from everyday network defenders. While at the start of the year we reported on the heavy spike in malicious Google search ads, the activity continues to this day across many platforms, and does not get as much attention as it deserves. Additionally, while tracking more capable and often state-sponsored threat actors, we continually observe brands being impersonated for illicit use, including credential phishing and malware delivery.
Consequently, organizations find themselves grappling with two critical challenges: first, identifying and thwarting illicit brand impersonation aimed at targeting them, and second, effectively safeguarding their networks and users. Security and threat researchers face a similar, albeit magnified, responsibility as they handle these concerns for numerous entities.
Let’s explore some examples of opportunistic and targeted threat actors impersonating trusted brands and how security researchers can make use of new tooling for …
IoC
108.179.214.134
167.172.113.157
174.138.30.233
217.219.131.139
256fa5009e8e82258876325b7d36f41cc3e74e85627663206b042eec8736ce6a
http://108.179.214.134/
http://167.172.113.157/
http://174.138.30.233/
http://217.219.131.139/db.php
http://absolutemedia.net.au/
http://absolutemedia.net.au/testing/flash-x32-Adobe-add-on.exe
http://absolutemedia.net.au/testing/flash-x32-adobe-add-on.exedl.netprog.net
http://absolutemedia.net.au/testing/wp-content/intelmanagertools.exe
http://absolutemedia.net.au/testing/wp-includes/Spectrum
http://aprendizajevirtual.une.net.co/lang/language.php
http://bit-albania.com/config.php
http://blogtify.com/wp-includes/config.php
http://chromatogramma.ru/book/export/html/3
http://csmss.org/admin/uploads/award/award28.php
http://diy-trackng.com
http://educacionit.com/images-clientes/4O4.php
http://escolarainhadleonor.eu/aee/
http://eskulap-jarocin.pl/
http://goodstracks.me
http://hankevin.cafe24.com/data/category/faq/faq.php
http://hetclick.biz
http://jacobsenfamilyholdings.com/config.php
http://kevinspie.co.kr/data/category/faq/faq.php
http://namsouth.com
http://naturamosana.be/css/main.php
http://nknews.pro/config.php
http://okbus.or.kr/config/config.php
http://reasope.org/config.php
http://renaissancenft.io/wp-content/plugins/download-plugin/plugins.php
http://signin.aws.amazon.com.*/
http://stmwa.de/work/config/data.php
http://super-trackings.com
http://tracking-checks.me
http://uspps-only.ink
http://uspps-onlyne.ink
http://uspps-onlynee.biz
http://usps-onlines.biz
http://usps.tracking-check.me
http://voesami.com/config.php
http://wincenty-faber.pl/dla-dzieci
http://wincenty-faber.pl/dla-dzieci/publikowane-w-ksikach/90
http://wincenty-faber.pl/ksiki/ksiki-dla-dzieci
http://www.uspps-only.ink
http://yonsei.lol/sss.php
rule apt_nk_kimsuky_phishing_script { condition: vt.net.url.new_url and vt.net.url.downloaded_file.sha256 == "256fa5009e8e82258876325b7d36f41cc3e74e85627663206b042eec8736ce6a" }
rule aws_monitor { condition: vt.net.domain.new_domain and (vt.net.url.favicon.dhash == "4026d4f494f8738c" //AWS Name Icon or vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" //AWS Docs Icon or for any link in vt.net.url.outgoing_links: ( link matches /signin.aws.amazon\.com.*/ ) or vt.net.domain.raw matches /aws/) }
rule aws_monitor_2 { condition: vt.net.domain.new_domain and (vt.net.url.favicon.dhash == "4026d4f494f8738c" //AWS Name Icon or vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" //AWS Docs Icon ) }
rule usps_phisher_tracker { condition: for any tracker in vt.net.url.trackers: ( tracker.id == "93030690") }
167.172.113.157
174.138.30.233
217.219.131.139
256fa5009e8e82258876325b7d36f41cc3e74e85627663206b042eec8736ce6a
http://108.179.214.134/
http://167.172.113.157/
http://174.138.30.233/
http://217.219.131.139/db.php
http://absolutemedia.net.au/
http://absolutemedia.net.au/testing/flash-x32-Adobe-add-on.exe
http://absolutemedia.net.au/testing/flash-x32-adobe-add-on.exedl.netprog.net
http://absolutemedia.net.au/testing/wp-content/intelmanagertools.exe
http://absolutemedia.net.au/testing/wp-includes/Spectrum
http://aprendizajevirtual.une.net.co/lang/language.php
http://bit-albania.com/config.php
http://blogtify.com/wp-includes/config.php
http://chromatogramma.ru/book/export/html/3
http://csmss.org/admin/uploads/award/award28.php
http://diy-trackng.com
http://educacionit.com/images-clientes/4O4.php
http://escolarainhadleonor.eu/aee/
http://eskulap-jarocin.pl/
http://goodstracks.me
http://hankevin.cafe24.com/data/category/faq/faq.php
http://hetclick.biz
http://jacobsenfamilyholdings.com/config.php
http://kevinspie.co.kr/data/category/faq/faq.php
http://namsouth.com
http://naturamosana.be/css/main.php
http://nknews.pro/config.php
http://okbus.or.kr/config/config.php
http://reasope.org/config.php
http://renaissancenft.io/wp-content/plugins/download-plugin/plugins.php
http://signin.aws.amazon.com.*/
http://stmwa.de/work/config/data.php
http://super-trackings.com
http://tracking-checks.me
http://uspps-only.ink
http://uspps-onlyne.ink
http://uspps-onlynee.biz
http://usps-onlines.biz
http://usps.tracking-check.me
http://voesami.com/config.php
http://wincenty-faber.pl/dla-dzieci
http://wincenty-faber.pl/dla-dzieci/publikowane-w-ksikach/90
http://wincenty-faber.pl/ksiki/ksiki-dla-dzieci
http://www.uspps-only.ink
http://yonsei.lol/sss.php
rule apt_nk_kimsuky_phishing_script { condition: vt.net.url.new_url and vt.net.url.downloaded_file.sha256 == "256fa5009e8e82258876325b7d36f41cc3e74e85627663206b042eec8736ce6a" }
rule aws_monitor { condition: vt.net.domain.new_domain and (vt.net.url.favicon.dhash == "4026d4f494f8738c" //AWS Name Icon or vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" //AWS Docs Icon or for any link in vt.net.url.outgoing_links: ( link matches /signin.aws.amazon\.com.*/ ) or vt.net.domain.raw matches /aws/) }
rule aws_monitor_2 { condition: vt.net.domain.new_domain and (vt.net.url.favicon.dhash == "4026d4f494f8738c" //AWS Name Icon or vt.net.url.favicon.dhash == "c8e3b88aaa88cbf8" //AWS Docs Icon ) }
rule usps_phisher_tracker { condition: for any tracker in vt.net.url.trackers: ( tracker.id == "93030690") }