Category Archives: android malware

Google Makes it Tough for Rogue App Developers Get Back on Android Play Store

Even after Google's security oversight over its already-huge Android ecosystem has evolved over the years, malware apps still keep coming back to Google Play Store. Sometimes just reposting an already detected malware app from a newly created Play Store account, or using other developers' existing accounts, is enough for 'bad-faith' developers to trick the Play Store into distributing unsafe

Fake Instagram assistance apps found on Google Play are stealing passwords

We all want those Instagram likes and followers. Many apps on Google Play claim they can assist you with that effort. But what if the app that’s supposed to be helping you is also stealing your username and password? 

As a matter of fact, that’s exactly what we found in three fake Instagram assistance apps still available on Google Play at the time of this writing. Moreover, these fake apps are targeting Iranian users. Malwarebytes already detects the malicious apps as Android/Trojan.Spy.FakeInsta.

What’s in a like?

As the psychology of social media reveals how addicting it can be to receive likes and even better, followers, on platforms such as Instagram, users often look for shortcuts or other ways to game the system in order to get that rush of dopamine. 

That’s where Instagram assistance apps come into play—Google Play, that is! Apps that claim to boost your likes and increase your followers are an attractive notion, especially when building a thriving Instagram account organically can take months or even years. Malware authors are great opportunists, and there is certainly a lot of opportunity to exploit when it comes to creating account-stealing fake apps.

InstaStolen account

Let’s use an app named Followkade as a case study of this new-found Instagram credential stealer.

App Name: Followkade

Package Name: com.followkade.insta

Installs: 50,000+

Reviews: 4.0 out of 6,999 total respondents

As you can see, it’s a highly-rated app with thousands of downloads and reviews. Customers on Google Play looking to determine the app’s legitimacy would be none-the-wiser.

After install, the app opens to a splash page, and then a page asking for Instagram credentials.

I used the following to log in:

Username: test_username

Password: test_password

After opening a network scanner, I pressed Login. Along with normal login traffic to Instagram, there was some additional network traffic going on here. Take a look at the screenshots below with proof of the stolen credentials.

There it is in plain text: my test username and password being sent to a known malicious website.

Insta targets

There are many apps that pose as so-called helpers piggybacking off the social media craze. Some of them are legitimate apps that might be able to help users boost likes and followers as advertised. However, malware authors can too easily mimic the above board apps, and they bank on users’ desire to find fast validation through social media acceptance.  

The other two apps that we found, LikeBegir and Aseman Security, also target Iranian users, as does Followkade. LikeBegir claims it will increase likes, help users buy cheap coins, and provide daily gifts. Aseman Security, ironically, boasts that it will boost security for your Instagram page and prevent it from being hacked.

I would imagine there aren’t a lot of Iranian Instagram assistance apps on Google Play, so it’s an easy target for malware authors of that region. In these cases, picking a highly-rated and installed app isn’t much help to be safe.

Acknowledgement and tips

Many thanks to Malwarebytes Forum patron AmirGooran for tipping us off about the fake apps. 

If you’re looking to boost your Instagram community, it’s a lot safer to do it the old-fashioned way: by creating quality content with well-edited, creative photos. Take the time to write engaging captions with appropriate hashtags to attract others. And build your community by following and interacting with other top content creators you truly appreciate—not just using the follow for a follow model.

And if you’re interested in securing your Instagram account, once again, the old-fashioned ways win out. Be sure to use strong password credentials, which means long passwords that don’t have easily guessable information such as birthdays or family names, and nothing that has been used for another account. We typically recommend folks use a password manager so they needn’t worry about remembering 27 different passwords. In addition, avoid using the Insta Messages function for communicating any confidential, important information, because it has no end-to-end encryption option whatsoever.

Read more: How do I secure my social media profile?

Like anything in life, building a respectable social media following takes work. Avoid the shortcuts: Not only do they fail at doing the things they promise—they may also take away much more than you would receive. After all, are fake likes really worth getting your personal information stolen? Stay safe out there!

The post Fake Instagram assistance apps found on Google Play are stealing passwords appeared first on Malwarebytes Labs.

‘Exodus’ Surveillance Malware Found Targeting Apple iOS Users

Cybersecurity researchers have discovered an iOS version of the powerful mobile phone surveillance app that was initially targeting Android devices through apps on the official Google Play Store. Dubbed Exodus, as the malware is called, the iOS version of the spyware was discovered by security researchers at LookOut during their analysis of its Android samples they had found last year.

E Hacking News – Latest Hacker News and IT Security News: “BasBanke”: Android Malware That Hacks Financial/ Personal Data!








Introducing “BasBanke”, another malware in the already long list of Android malware, with Brazilians’ financial and personal details on the target.

Credit/debit card numbers, other financial data, and personal data of Brazilians is what the cyber-cons are hunting for, via the malware.

This malware has been effective through malicious applications since 2018 Brazilian elections. Downloads of over 10,000 from the Google store were made.

By way of social media platforms like Facebook and WhatsApp the user were tricked into downloading the malware.



Later on attacks like ‘keystroke logging’, ‘SMS interception’ and ‘screen recording’ were also observed.

The advertising campaign’s URL hinted to the legitimate Google Play Store.
A malicious app which goes by the name of “CleanDroid” is another of the malicious apps which was advertised about on Facebook along with a download link.

The aforementioned application pretends to help in protecting the victim’s device from viruses and optimizing memory space.


Google play store hosts a lot of such illegitimate android apps who pretend to be QR readers or travel guides all the way tricking the victim.

A similar malicious campaign was discovered by a leading anti-virus organization but with relatively less distribution rates.

On the distributor front, social media played a vital role in it too.



Hunting and hacking down the metadata such as IMEI, telephone numbers, device names along with other personal stuff is the main agenda.

This data after getting collected is sent to the HQ of the cyber-hackers via C2 server.

Platforms like Netflix, YouTube and Spotify immediately turned up their security measures after perceiving that the banking details were being hunted.



E Hacking News - Latest Hacker News and IT Security News

“BasBanke”: Android Malware That Hacks Financial/ Personal Data!








Introducing “BasBanke”, another malware in the already long list of Android malware, with Brazilians’ financial and personal details on the target.

Credit/debit card numbers, other financial data, and personal data of Brazilians is what the cyber-cons are hunting for, via the malware.

This malware has been effective through malicious applications since 2018 Brazilian elections. Downloads of over 10,000 from the Google store were made.

By way of social media platforms like Facebook and WhatsApp the user were tricked into downloading the malware.



Later on attacks like ‘keystroke logging’, ‘SMS interception’ and ‘screen recording’ were also observed.

The advertising campaign’s URL hinted to the legitimate Google Play Store.
A malicious app which goes by the name of “CleanDroid” is another of the malicious apps which was advertised about on Facebook along with a download link.

The aforementioned application pretends to help in protecting the victim’s device from viruses and optimizing memory space.


Google play store hosts a lot of such illegitimate android apps who pretend to be QR readers or travel guides all the way tricking the victim.

A similar malicious campaign was discovered by a leading anti-virus organization but with relatively less distribution rates.

On the distributor front, social media played a vital role in it too.



Hunting and hacking down the metadata such as IMEI, telephone numbers, device names along with other personal stuff is the main agenda.

This data after getting collected is sent to the HQ of the cyber-hackers via C2 server.

Platforms like Netflix, YouTube and Spotify immediately turned up their security measures after perceiving that the banking details were being hunted.

Italian Android Spyware Infected Google Play Store for Years, Researchers Find

Fake service applications in Italian from mobile operators were found to be invasive spyware after successfully bypassing Google Play Store’s filters, according to a group of researchers from non-profit security organization Security Without Borders (SWB). The  large campaign of disguised spyware infected the store and stayed there for months in a “case of lawful intercept gone wrong,” writes Motherboard.

The spyware had “extensive collection and interception capabilities” that “might expose the infected devices to further compromise or data tampering.”

Google took down the infected pages after it was notified. Google investigated the platform and found 25 variants had been uploaded. The company did not say how many devices were infected, but it said one of the apps had 350 installations.

Dubbed Exodus, the Android spyware platform was allegedly created by Italian video surveillance company eSurv, and operated in two stages: Exodus One and Exodus Two.

“Of the various binaries downloaded, the most interesting are null, which serves as a local and reverse shell, and rootdaemon, which takes care of privilege escalation and data acquisition. rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit,” the report stated.

The team collected samples dating from between 2016 and 2019, which means the malware had been in the store for at least 3 years. “Most of these apps collected a few dozen installations each, with one case reaching over 350. All of the victims are located in Italy,” researchers said.

Motherboard claims the company sold the malware to the Italian government.

HOTforSecurity: Italian Android Spyware Infected Google Play Store for Years, Researchers Find

Fake service applications in Italian from mobile operators were found to be invasive spyware after successfully bypassing Google Play Store’s filters, according to a group of researchers from non-profit security organization Security Without Borders (SWB). The  large campaign of disguised spyware infected the store and stayed there for months in a “case of lawful intercept gone wrong,” writes Motherboard.

The spyware had “extensive collection and interception capabilities” that “might expose the infected devices to further compromise or data tampering.”

Google took down the infected pages after it was notified. Google investigated the platform and found 25 variants had been uploaded. The company did not say how many devices were infected, but it said one of the apps had 350 installations.

Dubbed Exodus, the Android spyware platform was allegedly created by Italian video surveillance company eSurv, and operated in two stages: Exodus One and Exodus Two.

“Of the various binaries downloaded, the most interesting are null, which serves as a local and reverse shell, and rootdaemon, which takes care of privilege escalation and data acquisition. rootdaemon will first attempt to jailbreak the device using a modified version of the DirtyCow exploit,” the report stated.

The team collected samples dating from between 2016 and 2019, which means the malware had been in the store for at least 3 years. “Most of these apps collected a few dozen installations each, with one case reaching over 350. All of the victims are located in Italy,” researchers said.

Motherboard claims the company sold the malware to the Italian government.



HOTforSecurity

Android Malware Intercepts SMS 2FA: We have the Logs!

A couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile.  One module in my training was called "Logs Don't Lie" which pointed out that in most cases we have everything we need to prioritize a phishing response just by looking at the log files, either on the compromised phishing server, or in the Financial Institutions own logs.

Malware C2 servers are another great place to apply the rule "Logs Don't Lie."  Most security researchers realize that there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations.  @LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware.  And the Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do!    (Sidenote:  @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while @LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware.  You should follow both on Twitter if you care about such things.  Thanks to them both for the pointer that leads to what follows.)

In this case, the malware is believed to be called "Anubis II" and likely uses the "Builder" that is depicted in this YouTube video, titled "Builder Android Bot Anubis 2"

Launcher the APK Builder "Android Botnet Anubis II" 

Malware actor chooses from his list of banking targets
In the comments section of the video, someone has shared a screen shot of the botmaster's control panel.  In this case it is demonstrating that 619 Android phones can be controlled from the botnet:

Phones that can be controlled from Anubis II control panel
In the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily in June of 2018.   The server hosting the Anubis II panel has a list of banks that it can present.

The targets which have custom web inject (or phone inject) content include:
  • 7 Austrian banks
  • 18 Australian banks
  • 5 Canadian banks
  • 6 Czech banks
  • 11 German banks
  • 11 Spanish banks
  • 11 French banks
  • 8 Hong Kong banks
  • 11 Indian banks
  • 6 Japanese banks
  • 1 Kenyan bank
  • 4 New Zealand banks
  • 32 Polish banks
  • 4 Romanian banks
  • 9 Turkish banks
  • 10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of Scotland, Santander, TSB, Ulster)
  • 10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US Bank, Wells Fargo Mobile)

Fake Android Login Pages for Banks 

While each of the 190 sites has a fake login page available, we thought we would show a sampling from banks around the world . . . 

There are also several Crypto Currency organizations listed:
  • blockchaine
  • coinbase
  • localbitcoin
  • unocoin
As well as some Online Payment, Email, and Social Media sites:
  • eBay
  • Facebook
  • Gmail
  • PayPal
  • ZebPay

Each bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone attempts to log in to the given bank.

 Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content, inviting the phone owner to "Sing In" to the bank.  Perhaps there is a Wells Fargo Choir?  Hopefully that will cause victims to NOT fall for this particular malware!

The Wells Fargo Choir?  Sing On!


The SMS Intercepts

One of the main benefits of having access to the server was to see so many examples of successful SMS message intercepts!  At the time of the server dump, this one contained 32,900+ unique "keylog" entries and 52,000+ logged SMS messages from at least 47 unique devices.

Here's an example showing a Bank Two Factor Authentication request being forward to the criminals:

Text: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn't request the code, call 1.800.xxx.xxxx for assistance.

Keylogging was also enabled, allowing the criminal to see when a bank app was being used:

06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:, May 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]

In this example, an online payment company is sharing a message:

06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a friendly reminder that you have a payment due today by 6pm If you have any questions or need to make a payment  via phone call 804-999-9999 or we have a new payment processing system that allows , for your convenience, to simply text in the last 4 digits of a card you've previously used and the security code and we're able to process your payment.  Feel free to call  REDACTED with any questions at 804-xxx-xxxx]

Hundreds of Gmail verification codes were found in the logs:

06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]

Quite a few Uber codes were also found in the logs:

Text: [#] 9299 is your Uber code. qlRnn4A1sbt

Paypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:

Text: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don't reply.

Text: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]

Text: 383626 is your Facebook password reset code or reset your password here: https://fb.com/l/9wBUVuGxxxx5zC

Text: Your LinkedIn verification code is 967308.

Text: 103-667 is your Stripe verification code to use your payment info with Theresa.

Text: Your Stash verification code is 912037. Happy Stashing!

Text: Cash App: 157-578 is the sign in code you requested.

Text: Your verification code for GotHookup is: 7074

In a directory called "/numers/" there were also examples of address book dumps from phone contacts.  The small number of these seem to indicate this would be a "triggered" request, where the botnet operator would have to request the address book.  In the example we found, with seven area code (404) numbers, four (770) numbers and four (678) numbers, it is likely an Atlanta, Georgia based victim.

The Keylogging feature also seems to be something that is turned on or off by request of the botnet operators.  There were far fewer devices for which keylogs were found.   Example keylog entries looked like this:

A telephone prompt looked like this:


  • 06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3), Mom]
  • 06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]
  • 06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]


Responding to a message looked like this:


  • 06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry can you send the address, REPLY]
  • 06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]
  • 06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]
  • 06/15/2018, 16:02:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]
  • 06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]
  • 06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]
  • 06/15/2018, 16:05:29 EDT|(CLICKED)|[]
  • 06/15/2018, 16:10:50 EDT|(FOCUSED)|[]
  • 06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]
  • 06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct  North CityTheyTyped OK 11111]
  • 06/15/2018, 16:11:03 EDT|(FOCUSED)|[]
A YouTube session looked like this:


  • 06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]
  • 06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]
  • 06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu, The Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION WITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]
  • 06/27/2018, 15:46:38 EDT|(FOCUSED)|[]
  • 06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]
  • 06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]
  • 06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]
  • 06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]
  • 06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]
  • 06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: "BREAKING UP IN FRONT OF COMPANY!!" PRANK ON PANTON SQUAD!!!]

Distribution 

From looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is fairly common.  Many new versions of the malware show up in their collection every day.   The most common point of distribution seems to be from the Google Play Store.

A popularly reported stream of such apps was reported on by, well, just about everyone in July 2018.  Some of the headlines included:

Anubis Strikes Again: Mobile Malware continues to plague users in Official App Stores  - from IBM X-Force Research's Security Intelligence blog

Best graphic goes to Secure Computing Magazine:

https://www.scmagazine.com/


A more recent post, from AlienVault, (20 days ago):  "Anubis Android Malware in the Play Store

A search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that match a definition name of "Anubis".  Some of the more popular names for the trojan on VirusTotal include:

DrWeb:  Android.BankBot.1679
Ikarus: Trojan-Banker.AndroidOS.Anubis
Kaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH 




Kaspersky authored a special article on this banking trojan, which they call "HQWar" back in April under the headline "Phantom menace: mobile banking trojan modifications reach all-time high: Mobile banking Trojans hit the list of cyber-headaches in Q2 2018"   In that article they said they have documented 61,000 versions! 

Kaspersky: Phantom Menace
As I mentioned Lukas at the beginning of this blog, ESET has produced an amazing number of articles on Android banking trojans lurking in the Google Play store.  Here are a few of them:

Multisandbox project welcomes Cyber adAPT ApkRecon


Two weeks ago we announced the release of our new VirusTotal Droidy Android sandbox, a virtual environment that executes Android applications in an automated fashion in order to capture all the actions that the given app performs on the operating system.

Today we are excited to announce that Cyber adAPT is becoming a multisandbox project partner and will be contributing data from its ApkRecon product to the fight against malware. Like Droidy, its solution also focuses on the Android environment. In their own words:

ApkRecon is a sandbox environment developed by the research team at Cyber adAPT.  Amongst many features, the sandbox boasts a baited Android environment, a decrypted network application level capture, and an attack payload triggering system to gain insight into the true intent of each piece of analyzed malware. ApkRecon is also used to generate detection logic for Cyber adAPT’s Mobile Threat Detection product to keep users safe all around the world.

These are some example reports displaying the data contributed by Cyber adAPT:


It is worth highlighting the usefulness of this kind of data. When facing unknown files for which you have no context it can be very rich contextual information that allows analysts to have an initial judgement of the file before diving into dissecting it. For example, looking at the last example report above we notice that the file performs an HTTP POST to:

hxxp://85.206.166.7/index.php?action=command

This is a URL that we can look up in VirusTotal Graph and jump to the host referenced in the URL, i.e. 85.206.166.7. When exploring this host we notice that only the file under consideration has communicated with it, however, we do notice that expansions are available according to the referrer files relationship. This relationship pinpoints files that contain the given host within its body, even if they have not been seen communicating with it. Let’s follow this notion, something shady seems to be going on:


Badness is much easier to spot when studying the sample characterised in this other report:

In this case the APK reaches out to the URL:

hxxp://zzwx.ru/apkfff?keyword=BBM

From there we can jump to the domain entity, i.e. zzwx.ru, and expand URLs observed under such domain, as well as files communicating with it. Just two hops and we already have a preliminary idea about the initial APK that reached out to the aforementioned URL being malicious:


These examples highlight the importance of extracting as many attributes and behavioral details as possible from files, not only because they allow us to better understand a particular threat, but because they connect the dots and reveal entire campaigns. For instance, very often blocking a given network location will render ineffective all malware variants of a given campaign (inability to reach the mothership server), so even when certain variants fly under detection radars, there is still hope that network security measures will stop a given attack.

This kind of approach to block badness is something that we have shaped into a particular paper hosted in our www.virustotal.com/learn space, more specifically the paper entitled VirusTotal Intelligence for banking trojans. In this paper malicious network infrastructure is shut down by contacting the pertinent domain registrars and hosting providers, however, organizations can also blacklist these locations in their network security controls.

Meet VirusTotal Droidy, our new Android sandbox

Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.

This setup characterises the actions that Android APKs perform when installed and opened; it has been baptised as “VirusTotal Droidy”. Droidy has been integrated in the context of the multisandbox project and extracts juicy details such as:
  • Network communications and SMS-related activity. 
  • Java reflection calls. 
  • Filesystem interactions. 
  • SQLite database usage. 
  • Services started, stopped, etc. 
  • Permissions checked. 
  • Registered receivers. 
  • Crypto-related activity. 
  • Etc. 

You may find below a couple of reports showcasing this new functionality. Just select the “VirusTotal Droidy” entry in the multisandbox report selector (whenever there are multiple reports):

Don’t forget to also check the detailed report:


This advanced view allows you to dig into the hooked calls and take a look at the screenshots generated when running the apps:


The multisandbox project is in good shape, and now many samples have reports for multiple sandboxes. For instance, the following report allows you to see the output of Tencent HABO and VirusTotal Droidy:
As you can see, they are pretty complementary, proving the value of having different sandboxing technologies studying the same files.

To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

Now, these may seem like minimal features to improve VirusTotal’s “microscope” capabilities for better understanding a particular threat. In fact, the changes go much deeper. All of our sandboxing information nurtures other services such as VirusTotal Intelligence and VirusTotal Graph. The richer the information that we generate for individual data set items, the greater the telescopic capabilities of VirusTotal. This is how we manage to fill in the dots and quickly see all activity tied to certain resources that often show up in malware investigations. For example, let us look at the graph of one of the domains seen in the previous reports:


At a glance you can understand that something shady is going on with wonderf00l.gq and you are able to discover other malicious domains such as flashinglight.tk, checkingupd.tk, flashupdservice.cf, etc. Some of these, for instance checkolimpupd.tk, are not only used as C2 infrastructure for malware but also serve as malware distribution points.

Very often during an investigation, you might not have enough context about an individual threat, and so being able to look at the connected URLs, domains, files, IP addresses, etc. becomes crucial in understanding what is going on. My colleague Evan explains this far better than I can do in just a couple of paragraphs, so make sure you check out his video dissecting a cryptomining attack at https://www.virustotal.com/learn/watch/.

Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.