Using SpiderFoot to Investigate Phishing Domains Targeting Ukrainian Soldiers
May 23, 2022
My name is Luke, but you might know me as @hakluke! I’m a cybersecurity professional, primarily focusing on application security and red teaming. Occasionally in my spare time I get to test my OSINT skills for something interesting, like phishing campaigns! One of the tools that I use most is SpiderFoot, because it automates a lot of the heavy lifting and data gathering required during an OSINT investigation.
Towards the end of February, I saw a tweet pop up linking to a threat intel brief from RiskIQ, located here. It was the result of an investigation into a Facebook post from CERT-UA, publicly warning of phishing attempts against Ukrainian military personnel and related persons.
The page provides a list of domains that wer associated with attempts to launch phishing attacks on Ukrainian soldiers. Given the investigatable nature of domain names, and recent world events, this seemed like an interesting thing to look into further.
In this post, we will be conducting a short investigation into these domain names using SpiderFoot HX to see if we can uncover anything interesting.
Starting the Scan
I immediately logged in to SpiderFoot HX and kicked off a new scan, specifying just the domains as the scan targets:
I left all the options set to their defaults, and clicked “Run Scan Now”, then went to grab a coffee, letting SpiderFoot do its thing!
I came back some hours later to view the results. The overview page looked something like this:
Using SpiderFoot’s Correlations
I didn’t really have any type of goal of what I wanted to find, so I started browsing through the correlations that were highlighted by SpiderFoot. These can be accessed by navigating to “Correlations” → “All”. This will take you to a page where correlations are listed. Correlations are observations that arise from SpiderFoot’s analysis of the data, highlighting interesting information from the scan.
One particular correlation stood out, it is labeled “outlier hosting provider”, which is a hosting provider that shows up very infrequently compared to hosting providers that are detected on other hosts being scanned. It is particularly interesting in this case, because the other hosts were using CloudFlare, presumably to hide their origin, while this one uses Confluence Networks, which means that it likely points directly to a web server.
Clicking on the correlation reveals some more information – the associated IP address is 126.96.36.199, which was identified from the Mnemonic PassiveDNS database. Passive DNS data sources are often a useful way to find historic DNS records for hosts, sometimes revealing the IP address of hosts before they are placed behind services like CloudFlare.
And the associated domain name is walidacja-uzytkownika[.]space (one of the scan targets), which can be seen by viewing the discovery path:
Investigating The Outlier IP Address
Viewing the children of the IP address (other data points SpiderFoot found) reveals some more interesting information:
Two things stood out. Firstly Robtex identifies criticallregistry[.]com as a co-hosted site, namely a site that is associated with the same IP address, although the domain does not appear to resolve anymore.
VirusTotal also flags the IP address as “malicious”. By viewing the VirusTotal page, I was able to deduce that many different malware samples communicate with this IP address.
Viewing the community comments for this IP address also reveals suspicious activity over the last few years.
Gathering and analyzing open source intelligence is typically a messy, unwieldy process that requires a lot of time and manual effort. SpiderFoot HX made this process an absolute breeze and provided more leads to investigate further.
I am posting this in the hope that others may be able to investigate the suspicious IP address further, and to inspire further OSINT. There are many questions worth further exploration, such as:
- Just based on the information from VirusTotal, it seems that this IP address may be used in many different attacks – perhaps it could be associated with a known attacker group?
- What was criticallregistry[.]com? Was it another scam?
- What is the relevance of some of the other domains SpiderFoot found in the scan?
- How trustworthy is confluence-networks[.]com as a hosting provider? Their website appears to be unmaintained. Could they be used for other scams?