So you're going on a threat hunt…and you want to catch a big (malicious) one.
Identifying malicious infrastructure can be a particularly daunting threat-hunting objective. Attackers who are intent enough on setting up things like C2 networks, phishing sites, and impersonated domains, are also, not surprisingly, often very good at hiding their tracks with tactics ranging from the use of proprietary VPNs to compromised intermediary services. So even when malicious infrastructure is visible, source attribution can remain a thorny problem.
That said, there are tools like Censys Search that can make the challenge of tracking and understanding malicious infrastructure more achievable. Consider the following user stories, how-to articles, and videos for insights you can use to inform, inspire, and even supercharge your next investigation into malicious infrastructure.
7 Resources Worth a Read (or Watch)
1. How to Identify Malicious Infrastructure: Demo
Let's start with a quick video tutorial on how to get started looking for malicious infrastructure in Censys Search. Follow along as one of our experts conducts an accelerated hunt for C2 infrastructure, using geolocation filters, labels, and strategic pivoting. Discover how you can quickly go from a macro, 10,000-foot view of all possible instances of C2, to something much more granular and specific with just a few queries.
2. Tracking Vidar Infrastructure with Censys
Gain insight from our team's investigation into Vidar infrastructure, a type of malware that evolved from Arkei and stands out as one of the first stealers capable of extracting information from 2FA Software and the Tor Browser. Vidar has been associated with Scattered Spider, known for targeting large organizations and IT help desks. Because Vidar's C2 servers utilize HTTP over TLS, including hardcoded subject and issuer-distinguished names (DNs) on certificates, Censys was able to detect 22 unique IP addresses linked to Vidar campaigns.
Follow along we investigate Vidar's operational methods, including its unique ability to harvest data from secure environments, and outline the specific network signatures and C2 server traits that can be tracked using Censys Search.
3. Russian Ransomware C2 Data Discovered in Censys Data
Censys researchers identified a network of Russian hosts that were using tools like Metasploit and PoshC2 for command and control operations, and which were linked to ransomware attacks. The investigation used advanced scanning techniques and data analysis in Censys Search to trace the network's activity across multiple countries, offering insights into identifying and combating such sophisticated threats.
In this summary of the investigation, our team describes in specific detail each step they took to identify and gather more context about these hosts. Key to the success of this investigation was the ability to pivot on new information, and strategically leverage host history data to analyze a malware kit. Check out the full article to learn more and access the queries and reports that the team used during the investigation.
4. Fuzzy Matching to Find Phishy Domains
Domain impersonators remain a persistent problem for security teams, and it's often difficult to identify impersonators in a timely fashion. In this article, learn how to proactively identify and mitigate domain impersonation threats that endanger user security.
By utilizing 'fuzzy matching' techniques like the Levenshtein Distance in combination with Censys data and Google's BigQuery, you can effectively spot and block domains that closely mimic legitimate ones, thereby enhancing their cybersecurity measures. This approach not only speeds up the detection of such threats but also improves the precision in targeting only the most suspicious domains.
Interested in a tutorial? Watch as one of our Censys researchers walks through how to apply these fuzzy matching principles in practice.
5. Threat Intel Pivoting Using Censys
Follow along as one Censys user shares how they uncovered a cyber espionage group's cluster infrastructure by pivoting on nodes with Censys Search. With just a known first node, the user describes how they were able to jump into Censys Search to subsequently identify port number, patterns, tool name, host provider, and certificates. With this information, the user double-clicked on the SSH key fingerprinting, pivoted to learn more about the hosting provider, and continued to pivot based on findings. Check out the article for a full walkthrough of how they were able to drill down into the Muddy Water cyber espionage threat actor.
6. Exposing a Spyware Vendor's C2 Infrastructure
Citizen Lab, a research institute at the University of Toronto, believed that spyware vendor Candiru was impersonating well-known organizations to target journalists and human rights activists. Candiru claims that their products are "untraceable," which would make finding domains, certificates, and other C2 infrastructure affiliated with their software especially challenging. However, that claim didn't deter Citizen Lab, which set out to identify the spyware vendor's C2 infrastructure and understand its global footprint.
Using Censys Search, Citizen Lab identified a self-signed certificate associated with Candiru, which allowed them to query the IP address that was serving the self-signed certificate. From there, the team pivoted between searching hosts and certificates in Censys Search to ultimately identify more than 750 websites that Candiru was impersonating. Check out the case study to learn more about Citizen Lab's investigation.
7. The Beginner's Guide to Tracking Malware Infrastructure
If it's malware that's on your mind, look no further than this complete (dare we say unmatched) guide to tracking malware infrastructure, guest-authored by Embee Research. This article offers detailed, step-by-step instructions for how to pursue all sorts of strategies for hunting malware within Censys Search, complete with specific queries and screenshots.
For example, the guide walks through how to hunt for infrastructure using TLS certificates, which threat actors and malware developers use to encrypt communication and establish connections between a target host and malicious infrastructure. Censys happens to have the world's largest repository of x.509 certificates, so if there's a TLS certificate a threat actor is targeting, Censys can see it.
Importantly, Censys Search users can also access TLS configurations for known malicious servers or domains, and in turn, identify patterns and similarities in TLS parameters. This can help users track and attribute malicious infrastructure to specific threat actors or groups.
Keep Exploring
Interested in learning more about how to accelerate your threat investigations? Check out our on-demand webinar, Threat Intelligence with Censys Search and ChatGPT to discover how to leverage the power of generative AI to hunt for threats!
Rachel Hannenberg — Content Marketing Manager at Censys https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3XM7mXUHWpzWaeCq64ytZr_CTVI5ELdTnDfJZ6ZJ0Dosvzq9VcUUERMc3kPqlge6rQnOLPKBenxmHVQkU6qJZwQIcMe9Re6S8ZRkQhNXbIMBmrWVyQ7g8-igyp5EpMKfsbk-U5NgUv4uoqmmvAPOHKG_vYDJzgAIg3GoQ8aqaU4oF6ZmLruYaUoAXrRc/s728-rw-e365/Rachel-Headshot-modified.png