CyberSecurityBoard
Sponsor Register Login

Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog

Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here.
Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for different malicious purposes as part of their infrastructure, and malware communicates with external sites for command and control and exfiltration.
Detecting suspicious domains and preemptively feeding corporate security systems can disrupt attacks before they happen, with VT Intelligence being the perfect platform to early detect them and monitor malicious campaigns' evolution.
Let's start by searching for domains that use self-signed certificates.
The use of these certificates raise some suspicion as they are unverified.
This means anyone can create and issue a certificate for any domain, making it easier for malicious actors to impersonate legitimate websites.
We will look for domains created no more than a week ago according to their whois information.
Finally, we want samples with more than 5 detections to avoid false positives, however this is completely at your discretion.
Entity:domain tag:self-signed creation date:7d+ p:5+.
Moving to the next stage, let's look for C2 domains.
Malware periodically contacts C2 servers to receive instructions, that's why it is worth investigating any connection to them originating from our network.
We will use modifier to look for domains updated in VT for the last week and modifier to search for domains with at least 20 files in VirusTotal that have been observed trying to contact the domain during sandbox detonation.
Finally, we will hunt typosquatted domains to impersonate a given legitimate one, in this example we will use Fedex.
The domain modifier searches for domains containing this word as a substring, and the depth modifier specifies how many subdomains to include in the search.
We narrow down the results to domains with at least 5 detections to reduce noise from false positives.
You can learn more about domain search modifiers in the documentation.


This Cyber News was published on blog.virustotal.com. Publication date: Mon, 25 Dec 2023 11:43:06 +0000


Cyber News related to Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog

Top 7 Cyber Threat Hunting Tools for 2024 - Cyber threat hunting is a proactive security measure taken to detect and neutralize potential threats on a network before they cause significant damage. To seek out this type of threat, security professionals use cyber threat-hunting tools. With ...
1 year ago Techrepublic.com
What Is Cyber Threat Hunting? - Cyber threat hunting involves proactively searching for threats on an organization's network that are unknown to traditional cybersecurity solutions. A recent report from Armis found that cyber attack attempts increased by 104% in 2023, underscoring ...
1 year ago Techrepublic.com
Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains - The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use. As of July 2023, our detection pipeline has found 1,114,499 ...
1 year ago Unit42.paloaltonetworks.com
Penetration Testing And Threat Hunting: Key Practices For Security Leaders - Security leaders should view penetration testing and threat hunting not as discrete activities but as essential components of a mature security program that evolves from passive defense to active threat detection and mitigation. Penetration testing ...
2 weeks ago Cybersecuritynews.com Hunters
Virustotal Shares New Ideas to Track Threat Actors - In a recent presentation at the FIRST CTI in Berlin and Botconf in Nice, VirusTotal unveiled innovative methods to track adversary activity by focusing on images and artifacts used during the initial stages of the kill chain. Traditionally, threat ...
11 months ago Cybersecuritynews.com APT28
Hunting for malicious domains with VT Intelligence ~ VirusTotal Blog - Please note that this blogpost is part of our #VTMondays series, check out our collection of past publications here. Many cyberattacks begin by victims visiting compromised websites that host malware or phishing scams, threat actors use domains for ...
1 year ago Blog.virustotal.com
How to Create a Threat Hunting Program for Your Business - A threat hunter's job is to proactively seek out potential problems and stop them before they have a chance to harm a company's network. Here's how businesses can create their own threat hunting programs and why it's important to do so. As well as ...
1 year ago Cyberdefensemagazine.com Hunters
How to Overcome the Most Common Challenges with Threat Intelligence - Today's typical approach to threat intelligence isn't putting organizations in a place to do that. Instead, many threat intelligence tools are delivering too much uncurated and irrelevant information that arrives too late to act upon. Organizations ...
1 year ago Cyberdefensemagazine.com Hunters
URL Hunting: Proactive Cybersecurity Designed to Improve Outcomes - Lately, our sales teams have found a message that's resonating within the business community: IT administrators are looking for more proactive ways to identify and evaluate threats within their company's email data. They want to be able to extend ...
1 year ago Cyberdefensemagazine.com
Automating Threat Intelligence: Tools And Techniques For 2025 - Automated threat intelligence leverages artificial intelligence (AI), machine learning (ML), and orchestration platforms to collect, analyze, and act on vast amounts of threat data in real time. These platforms offer features like real-time threat ...
3 weeks ago Cybersecuritynews.com
InfectedSlurs Botnet Spreads Mirai via Zero-Days - The payload targets routers and network video recorder devices with default admin credentials and installs Mirai variants when successful. Until November 9, 2023, the vulnerable devices being targeted were unknown. Since both the name and the version ...
1 year ago Akamai.com
VirusTotal: Generative AI is Great at Detecting, Identifying Malware - Generative AI engines similar to OpenAI's ChatGPT and Google's Bard will become indispensable tools for enterprises and cybersecurity operations in detecting and analyzing malicious code in a real-world environment, according to researchers with ...
1 year ago Securityboulevard.com
Criminal IP and Quad9 Collaborate to Exchange Domain and IP Threat Intelligence - Criminal IP, a renowned Cyber Threat Intelligence search engine developed by AI SPERA, has recently signed a technology partnership to exchange threat intelligence data based on domains and potentially on the IP address to protect users by blocking ...
11 months ago Hackread.com
VT Livehunt Cheat Sheet ~ VirusTotal Blog - VirusTotal Livehunt is a service that continuously scans all incoming indicators and notifies you when any of them matches your rules. Livehunt not only monitors files, but also domains, URLs, and IP addresses. In this post we detail a few practical ...
1 year ago Blog.virustotal.com
Researchers Hunted Malicious Stockpiled Domains DNS Records - Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-. While all these domains are often kept unused initially to evade detection, and then later ...
1 year ago Cybersecuritynews.com
AI Boosts Malware Detection Rates by 70% - Threat intelligence-sharing platform VirusTotal has unveiled new research showing how AI can be used by cyber defenders to enhance malware analysis. Through the research, VirusTotal found that AI is extremely effective in analyzing malicious code, ...
1 year ago Infosecurity-magazine.com Cuba
2023 Updates in Review: Malware Analysis and Threat Hunting - Throughout ReversingLabs' 14-year history, our products have constantly excelled and improved to tailor the needs of our customers and match the changing cybersecurity threat landscape. This past year, we have delivered key improvements to ...
1 year ago Securityboulevard.com Hunters
Threat Intelligence Feeds Flood Analysts With Data, But Context Still Lacking - By combining external threat data with internal risk assessments, contextual threat intelligence helps organizations measure the risk level of alerts or vulnerabilities in relation to their business and technical assets, ensuring that the most ...
3 weeks ago Cybersecuritynews.com
Why Threat Intelligence is Crucial for Modern Cyber Defense - Threat intelligence transforms raw data into actionable insights by analyzing adversaries’ tactics, techniques, and procedures (TTPs), empowering security teams to shift from reactive firefighting to strategic defense. Proactive Threat Hunting: ...
3 weeks ago Cybersecuritynews.com
Cloudflare loses 22% of its domains in Freenom.tk shutdown - A staggering 12.6 million domains on TLDs controlled by Freenom have been shut down and no longer resolve, leading to a significant reduction in the number of websites hosted by Cloudflare. The disappearance of these websites was spotted during our ...
1 year ago Netcraft.com
capa Explorer Web: A Web-Based Tool for Program Capability Analysis | Google Cloud Blog - For static analysis results, the function capabilities view groups rule matches by function address, allowing reverse engineers to quickly identify functions with key behavior (see Figure 6). The interface offers different views including a table ...
7 months ago Cloud.google.com
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
10 months ago Imperva.com
Threat Actors Registered 26k+ Domains Mimic Brands to Trick Users - These malicious domains serve as landing pages for sophisticated smishing (SMS phishing) campaigns, where unsuspecting users receive text messages containing links to what appear to be legitimate services. The domains follow specific naming patterns ...
1 week ago Cybersecuritynews.com Cloak
CISA Warns Threat Hunting Staff to Stop Using Censys & VirusTotal - “We understand the importance of these tools in our operations and are actively exploring alternative tools to ensure minimal disruption,” said the April 16-dated notification sent to more than 500 CISA cyber threat hunters. Homeland ...
2 weeks ago Cybersecuritynews.com Hunters
Know your enemies: An approach for CTI teams ~ VirusTotal Blog - VirusTotal's Threat Landscape can be a valuable source of operational and tactical threat intelligence for CTI teams, for instance helping us find the latest malware trends used by a given Threat Actor to adjust our intelligence-led security posture ...
1 year ago Blog.virustotal.com TA505

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)