McAfee Labs published a blog post on 10 June 2016 entitled “‘Thrones’ Jon Snow Appears To Employ Neutrino Exploit Kit”. In that post, the author noted that many Neutrino-directing URLs have been using .top domain extensions. One of the examples he used was:
He went on to point out that the threat actor in this case had registered the domain with the name John (sic) Snow and the email address used was firstname.lastname@example.org.
At the time that I read this post, I was experimenting with Maltego on Kali Linux 2.0. I decided to try to see how one could use Maltego to help to find other related malware sources. We’ll be using the free edition that is included in the Kali 2.0 distro.
Start by dragging a Domain object onto a new graph. Double-click the object to change the name to eilong.top.
Now, right click the domain object and click All Transforms to expand it. Scroll down and click the arrow to the right of ThreatCrowdEnrichDomain.
This is what you’ll see returned:
So, now we have the email of the person who registered it as well as other subdomains associated with our starting point. Incidentally, we could have started with the email address just as easily.
We can get even more information. If you select the email address and right click on it. Again, select All Transforms and then scroll down to ThreatCrowdEnrichEmail and click the arrow.
Now we can see other domains that have been registered with the same email address giving us more research targets.
This is certainly only one way to use Maltego in the search for malware infected websites. If you have others, please let me know.