CyberSecurityBoard
Sponsor Register Login

Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog

Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here.
Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for different malicious purposes as part of their infrastructure, and malware communicates with external sites for command and control and exfiltration.
Detecting suspicious domains and preemptively feeding corporate security systems can disrupt attacks before they happen, with VT Intelligence being the perfect platform to early detect them and monitor malicious campaigns' evolution.
Let's start by searching for domains that use self-signed certificates.
The use of these certificates raise some suspicion as they are unverified.
This means anyone can create and issue a certificate for any domain, making it easier for malicious actors to impersonate legitimate websites.
We will look for domains created no more than a week ago according to their whois information.
Finally, we want samples with more than 5 detections to avoid false positives, however this is completely at your discretion.
Entity:domain tag:self-signed creation date:7d+ p:5+.
Moving to the next stage, let's look for C2 domains.
Malware periodically contacts C2 servers to receive instructions, that's why it is worth investigating any connection to them originating from our network.
We will use modifier to look for domains updated in VT for the last week and modifier to search for domains with at least 20 files in VirusTotal that have been observed trying to contact the domain during sandbox detonation.
Finally, we will hunt typosquatted domains to impersonate a given legitimate one, in this example we will use Fedex.
The domain modifier searches for domains containing this word as a substring, and the depth modifier specifies how many subdomains to include in the search.
We narrow down the results to domains with at least 5 detections to reduce noise from false positives.
You can learn more about domain search modifiers in the documentation.


This Cyber News was published on blog.virustotal.com. Publication date: Mon, 25 Dec 2023 11:43:06 +0000


Cyber News related to Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog

Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
5 months ago Techrepublic.com
What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
5 months ago Techrepublic.com
Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains - The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use. As of July 2023, our detection pipeline has found 1,114,499 ...
6 months ago Unit42.paloaltonetworks.com
Virustotal Shares New Ideas to Track Threat Actors - In a recent presentation at the FIRST CTI in Berlin and Botconf in Nice, VirusTotal unveiled innovative methods to track adversary activity by focusing on images and artifacts used during the initial stages of the kill chain. Traditionally, threat ...
1 month ago Cybersecuritynews.com
Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog - Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for ...
6 months ago Blog.virustotal.com
How to Create a Threat Hunting Program for Your Business - A threat hunter's job is to proactively seek out potential problems and stop them before they have a chance to harm a company's network. Here's how businesses can create their own threat hunting programs and why it's important to do so. As well as ...
5 months ago Cyberdefensemagazine.com
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
6 months ago Cyberdefensemagazine.com
URL Hunting: Proactive Cybersecurity Designed to Improve Outcomes - Lately, our sales teams have found a message that's resonating within the business community: IT administrators are looking for more proactive ways to identify and evaluate threats within their company's email data. They want to be able to extend ...
6 months ago Cyberdefensemagazine.com
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
7 months ago Akamai.com
Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence - Criminal IP, a renowned Cyber Threat Intelligence search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking ...
1 month ago Hackread.com
VirusTotal: Generative AI is Great at Detecting, Identifying Malware - Generative AI engines similar to OpenAI's ChatGPT and Google's Bard will become indispensable tools for enterprises and cybersecurity operations in detecting and analyzing malicious code in a real-world environment, according to researchers with ...
7 months ago Securityboulevard.com
Researchers Hunted Malicious Stockpiled Domains DNS Records - Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-. While all these domains are often kept unused initially to evade detection, and then later ...
6 months ago Cybersecuritynews.com
VT Livehunt Cheat Sheet ~ VirusTotal Blog - VirusTotal Livehunt is a service that continuously scans all incoming indicators and notifies you when any of them matches your rules. Livehunt not only monitors files, but also domains, URLs, and IP addresses. In this post we detail a few practical ...
5 months ago Blog.virustotal.com
2023 Updates in Review: Malware Analysis and Threat Hunting - Throughout ReversingLabs' 14-year history, our products have constantly excelled and improved to tailor the needs of our customers and match the changing cybersecurity threat landscape. This past year, we have delivered key improvements to ...
5 months ago Securityboulevard.com
AI Boosts Malware Detection Rates by 70% - Threat intelligence-sharing platform VirusTotal has unveiled new research showing how AI can be used by cyber defenders to enhance malware analysis. Through the research, VirusTotal found that AI is extremely effective in analyzing malicious code, ...
7 months ago Infosecurity-magazine.com
Cloudflare loses 22% of its domains in Freenom.tk shutdown - A staggering 12.6 million domains on TLDs controlled by Freenom have been shut down and no longer resolve, leading to a significant reduction in the number of websites hosted by Cloudflare. The disappearance of these websites was spotted during our ...
3 months ago Netcraft.com
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
5 days ago Imperva.com
CVE-2020-25600 - An issue was discovered in Xen through 4.14.x. Out of bounds event channels are available to 32-bit x86 domains. The so called 2-level event channel model imposes different limits on the number of usable event channels for 32-bit x86 domains vs ...
2 years ago
How to Use Threat Intelligence Feeds for SOC/DFIR Teams - Threat intelligence feeds provide real-time updates on indicators of compromise, such as malicious IPs and URLs. Security systems can then ingest these IOCs to identify and block potential threats, which essentially grants organizations immunity to ...
1 month ago Cybersecuritynews.com
Know your enemies: An approach for CTI teams ~ VirusTotal Blog - VirusTotal's Threat Landscape can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest malware trends used by a given Threat Actor to adjust our intelligence-led security posture ...
3 months ago Blog.virustotal.com
Python in Threat Intelligence: Analyzing and Mitigating Cyber Threats - In the world of emerging cybersecurity threats, understanding the significance of threat intelligence is crucial and can not be ignored. Threat intelligence involves the systematic collection, analysis, and application of data to understand potential ...
5 months ago Hackread.com
Opening a Can of Whoop Ads: Detecting and Disrupting a Malvertising Campaign Distributing Backdoors - Earlier this year, Mandiant's Managed Defense threat hunting team identified an UNC2975 malicious advertising campaign promoting malicious websites themed around unclaimed funds. In each investigation under this campaign, Mandiant identified browser ...
6 months ago Mandiant.com
From DarkGate to AsyncRAT: Malware Detected and Shared As Unit 42 Timely Threat Intelligence - This article summarizes the malware families seen by Unit 42 and shared with the broader threat hunting community through our social channels. We also included a number of posts about the cybercrime group TA577 - who have distributed multiple malware ...
6 months ago Unit42.paloaltonetworks.com
Weekly Blog Wrap-Up - Welcome to the TuxCare Weekly Blog Wrap-Up - your go-to resource for the latest insights on cybersecurity strategy, Linux security, and how to simplify the way your organization protects its data and customers. At TuxCare, we understand the ...
6 months ago Securityboulevard.com
AsyncRAT Loader Delivers Malware via JavaScript - For at least 11 months, this threat actor has been working on delivering the Remote Access Trojan through an initial JavaScript file, embedded in a phishing page. After more than 300 samples and over 100 domains later, the threat actor is persistent ...
5 months ago Cybersecurity-insiders.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)