One Way To Use Maltego To Find Malware

McAfee Labs published a blog post on 10 June 2016 entitled “‘Thrones’ Jon Snow Appears To Employ Neutrino Exploit Kit”. In that post, the author noted that many Neutrino-directing URLs have been using .top domain extensions. One of the examples he used was:

hxxp://eilong.top

He went on to point out that the threat actor in this case had registered the domain with the name John (sic) Snow and the email address used was ivkolyvab@gmail.com.

At the time that I read this post, I was experimenting with Maltego on Kali Linux 2.0. I decided to try to see how one could use Maltego to help to find other related malware sources. We’ll be using the free edition that is included in the Kali 2.0 distro.

Start by dragging a Domain object onto a new graph. Double-click the object to change the name to eilong.top.

Now, right click the domain object and click All Transforms to expand it. Scroll down and click the arrow to the right of ThreatCrowdEnrichDomain.

This is what you’ll see returned:

Screenshot from 2016-06-17 17-09-20

So, now we have the email of the person who registered it as well as other subdomains associated with our starting point. Incidentally, we could have started with the email address just as easily.

We can get even more information. If you select the email address and right click on it. Again, select All Transforms and then scroll down to ThreatCrowdEnrichEmail and click the arrow.

Now we can see other domains that have been registered with the same email address giving us more research targets.

Screenshot from 2016-06-17 17-20-00

This is certainly only one way to use Maltego in the search for malware infected websites. If you have others, please let me know.

Leave a Reply

Your email address will not be published. Required fields are marked *