Let's step up the Pyramid of Pain and move on to Domain Names. You can see the transition of colors - from green to teal.
Domain Names can be thought as simply mapping an IP address to a string of text. A domain name can contain a domain and a top-level domain (evilcorp.com) or a sub-domain followed by a domain and top-level domain (tryhackme.evilcorp.com). But we will not go into the details of how the Domain Name System (DNS) works. You can learn more about DNS in this "DNS in Detail" Room.
Domain Names can be a little more of a pain for the attacker to change as they would most likely need to purchase the domain, register it and modify DNS records. Unfortunately for defenders, many DNS providers have loose standards and provide APIs to make it even easier for the attacker to change the domain.
Malicious Sodinokibi C2 (Command and Control Infrastructure) domains:
Can you spot anything malicious in the above screenshot? Now, compare it to the legitimate website view below:
This is one of the examples of a Punycode attack used by the attackers to redirect users to a malicious domain that seems legitimate at first glance.
What is Punycode? As per Wandera, "Punycode is a way of converting words that cannot be written in ASCII, into a Unicode ASCII encoding."
What you saw in the URL above is adıdas.de which has the Punycode of http://xn--addas-o4a.de/
Internet Explorer, Google Chrome, Microsoft Edge, and Apple Safari are now pretty good at translating the obfuscated characters into the full Punycode domain name.
To detect the malicious domains, proxy logs or web server logs can be used.
Attackers usually hide the malicious domains under URL Shorteners. A URL Shortener is a tool that creates a short and unique URL that will redirect to the specific website specified during the initial step of setting up the URL Shortener link. According to Cofense, attackers use the following URL Shortening services to generate malicious links:
- bit.ly
- goo.gl
- ow.ly
- s.id
- smarturl.it
- tiny.pl
- tinyurl.com
- x.co
You can see the actual website the shortened link is redirecting you to by appending "+" to it (see the examples below). Type the shortened URL in the address bar of the web browser and add the above characters to see the redirect URL.
NOTE: The examples of the shortened links below are non-existent.
Answer the questions below
1. Go to this report on app.any.run and provide the first malicious URL request you are seeing, you will be using this report to answer the remaining questions of this task. craftingalegacy.com
3. What type of attack uses Unicode characters in the domain name to imitate the a known domain? Punycode Attack
4. Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u. https://tryhackme.com. Entering the url, 'https://tinyurl.com/bw7t8p4u' will redirect you TryHackMe's website.
Comments
Post a Comment