01 Jul 2020

Using Maltego to Hunt for Phishing Subdomains

Andrei Kornev

In this blog, discover how investigative link-analysis software like Maltego provides an in-depth view into domains and helps you to uncover and quickly map out potentially suspicious activities. Maltego can be used to hunt down, research, investigate and monitor such activity in your environment.

Zscaler threat labs recently published a report detailing their discovery of the malicious use of StackBlitz, an online integrated development environment (IDE) platform for hosting and facilitating phishing by threat actors abusing the platform.

StackBlitz describes itself as “an online IDE where you can create Angular & React projects that are immediately online & shareable via link …in just one click. It automatically takes care of installing dependencies, compiling, bundling, and hot reloading as you type. StackBlitz is a tool in the Cloud IDE category of a tech stack.”

These types of tools are very useful for developers to quickly share, edit, and collaborate on their development projects.

This type of convenience, however, is often preyed upon by various threat actors for the very same “ease of use” which legitimate developers seek. Attackers are easily able to utilize the “one click” cloud environment offered by these types of platforms to host new malicious infrastructure, re-register quickly if blocked, and mask their malicious activity by hiding under the platform’s clean reputation.

By utilizing a platform like this, attackers are able to ‘piggyback’ on StackBlitz’s infrastructure to bypass initial reputation filters, domain registry monitoring, and the quick user turnaround to maximize their phishing attack success while tainting the reputation of benevolent online collaboration platforms like this in the process.

In this example, via URLscan.io: https://urlscan.io/result/83d38b76-f97e-4ee2-871e-76773125c60b/, observe how this platform was used to host a Microsoft phishing page.

URLscan example phishing

Activity like this is a reminder to the constant evolution of phishing attacks. As attackers seek new ways to lure victims, outsmart security products, and ease the setback of blocked infrastructure which they have set up.

Investigating with Maltego 🔗︎

We’ll be using Maltego to list all the observed subdomains under the “Stackblitz.io” domain, and investigate the results for any activity potentially connected to phishing campaigns.

StackBlitz allows users to register for their service through Github by syncing their public repositories with the platform so that they can be accessed and run through the browser utilizing their online IDE.

Since services like StackBlitz, by their nature as cloud solutions, are meant to be shared by their users we will likely find many subdomains created by different projects being run by various users. Most of these will be legitimate projects and not necessarily phishing or malicious ones.

However, the free tier of StackBlitz only allows public projects to be uploaded, meaning that attacker projects will most likely be uncovered in the process of enumeration. The number of results returned will most likely make it difficult to manually examine each result, Maltego comes in handy to dissect results which require further examination, identify what to look out for, and to list all subdomains for graph analysis.

To begin, we will paste the “Stackblitz.io” domain into a new Maltego graph:

Stackblitz Domain

We then want to pivot on the domain and have all its subdomains listed. By utilizing PassiveTotal’s ‘[PT] Get Subdomains’ Transform, we will get return the observed subdomains connected to StackBlitz.io.

Get Subdomains Transform

We quickly get 113 subdomains listed in the graph, which we now need to convert to URLs for cross-checking with VirusTotal’s engine to check whether any malicious activity has been observed and/or connected to these addresses.

113 Subdomains

Next, we select the list returned and copy all subdomain values using Maltego’s Copy menu.

After copying the value list, paste these into a text file using your preferred text editor and save the file as URLs.txt. Once you have the file ready, use the following command in your terminal to format the list of domains into URLs Maltego can recognize:

awk -F, ‘{printf(“https://%s/\n”,$1)}’ URLs.txt > URLs_appended.txt

Once complete, copy and paste the values from the newly appended text file into your Maltego graph.

We now have 113 URLs, and we can automatically query VirusTotal using the ‘[VTPUB] Check URL Report’ Transform to check if any of these URLs are malicious.

VTPUB Check URL Report Transform

By doing so, we will have a look into the total activity observed under the StackBlitz.io sub-domains and uncover what portion of these are marked as malicious. We will take note of those now marked malicious so that we can further research through other means. This process can be replicated with any other domain you may be interested in investigating.

Once we run the Transform, a graph is returned marking which URLs have been observed as serving phishing pages by VirusTotal.

Phishing Pages VirusTotal

We can run this as a Machine, and query this on a regular basis automatically to list and enumerate phishing activity under StackBlitz.io subdomains or others like it. Or we can take the domains not returned as malicious in the graph to our monitor lists, and then analyze these with other solutions like URLscan.io to view what is currently housed, manually dissect these in a sandbox environment, or submit them to VirusTotal or similar solutions since they may very well be new domains not yet observed.

Most of the URLs we see present in our graph did not return any results since the URLs haven’t been seen before. This means that by enumerating subdomains like these we just might discover fresh and unknown activity.

For example, have a look at what we caught in our Maltego graph which wasn’t listed yet in any repository or sandbox:

Subphishing domain found

Since Zscaler’s report earlier this month, StackBlitz.io added a warning screen prior to accessing live pages which should minimize victims falling to phishing attacks hosted on their platform. However, some are still prevalent.

Following the live example shown above, since StackBlitz is a public collaboration platform, we can also access the source code uploaded by this Microsoft phishing campaign and see where the phishing kit is pointed, and by whom it was uploaded.

We can see that this phishing campaign was uploaded by the user ‘@hyyery’, and we can view the list of this users’ other projects uploaded to StackBlitz, finding the users’ additional phishing pages:

Projects uploaded to StackBlitz

Stackblitz Projects

This shows that whoever chooses to use the StackBlitz platform for phishing activity, is doing so while also exposing their campaigns publicly, along with connected infrastructure as is accessible to anyone, along with their potential Github account.

Taking the newly discovered phishing kit URL back to Maltego, we can now perform a quick query for some more information using the ‘[PT] Get OSINT’ Transform:

PT Get OSINT Transform

We see that the URL has been previously scanned by URLscan.io and Joesandbox:

URLscan and Joesandbox

This is great for us to continue our investigation, re-evaluate our original list with this Transform, and gather more data points and clues by looking at the scans performed on these sites, especially if the URL is no longer live or has since changed, as we get a historic view to compare with. We can see that the domain we looked into was used to host various different phishing kits:

Phishing kits

Image via urlscan.io

Online solutions like StackBlitz offer convenient means for developers to code and host their projects in one place. Tools like these are often targeted by malicious actors as a launch-pad for their malware or phishing campaigns - abusing the tools platform for criminal activity. You may be using some similar cloud solution and want to periodically and proactively check for abuse.

If you suspect you’ve encountered a different host which has phishing activity similar to this, you can quickly analyze it through the techniques outlined in this blog post - enumerating its different subdomains to check if there’s anything to further investigate and pivot upon such as source code, metadata, backlinks, usernames, etc. By using link analysis techniques like these you can effectively tie in campaign details in such a way that allow you to view the patterns important to your organization or investigation. Either by hunting and monitoring for the presence of the malicious indicators you’ve uncovered, or in your own environment by alerting you to potential activity.

To stay up to date with other cool use cases, product updates and Maltego events, follow @MaltegoHQ on Twitter. If you have questions, requests, ideas or use cases you built that you want to share, we would love to hear from you on Twitter!

About the author

This guest post was written by Andrei Kornev, a Security Researcher from www.deependresearch.org, a non-profit team which conducts threat research and intelligence analysis with emphasis on malware, botnet tracking, underground economy and cybercrime.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.