URLhaus – Polarity

URLhaus – Polarity

URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. The Polarity URLhaus Integration takes indicators on your screen and overlays if there are any malicious URLs associated with that indicator.

Here is a URL & Hash that is a known to Distribute Malware, using Polarity and URLhaus we will try to get some more information on the origins of attacks:

(http://123.4.207.66:33308/bin.sh)

(2E4506802AEDEA2E6D53910DFB296323BE6620AC08C4B799A879EACE5923A7B6)

Polarity Analysis:

Running the Hash Scan quickly returned some affiliated URLS that are Online. You can log these in a .txt for later use.

The URL Scan returned some details about its Online Status, the Date it was Reported, Scan Results, a Country (China), & some useful Site Information, a quick IP Lookup Scan also confirms the Country as China.

IP Lookup Link:

https://ipgeolocation.io/

Click the View in URLhaus link in the Polarity Overlay to view the results on the Webpage.

On the main webpage there is a link to the Host, the Date Added, the URL status is Offline and that it has been down for 3 hours & 39 minutes, since 2021-07-04 21:54:26 UTC.

The payload delivery File Type (elf) & Payload SHA256 are on this page as well.

From the Tags we can see what types of Filetypes they are using, (32-bit, elf, mips).

The MOZI Tag stands out as a known Hacking Group.

Click on the MOZI Tag under Database Entry, there are more URLS associated with the MOZI Group listed here.

More URLs affiliated with MOZI Group:

URLhaus | Browse MOZI (abuse.ch)

Under the Date added (UTC) column we can check if MOZI Group is still active by looking at the Timestamps for Recent URLs, and looking to see how many of their URLs are Online under the Status column.

The Browse Database Page can be used to pivot from a Domain, URL or Hash with the filters filetype:doc and url_status:online.

In a short amount of time we gathered:

  • Filtered Lists of URLs
  • A Location (China)
  • What group the attacks originated from (MOZI)
  • What filetypes are in use by the attacker
  • Timestamps
  • On/Offline status of URLs

Using these tools together like this saves analysts time, these scans took minutes to complete and returned lots of useful information. We could now continue the investigation with the information we gathered as a starting point.