Phishing attacks are one of the biggest threats facing crypto platforms today and as an investigator you will run into these hacks on a regular basis. 

In this section, we'll dive into how to investigate phishing attacks and malicious files. How to investigate phishing hacks to identify the perpetrators. 

We'll walk through the steps for analyzing a suspicious file using open-source tools, giving you a basic sense of whether the file poses a risk. From there, we'll explore how to apply these investigative techniques in the context of crypto investigations, where phishing emails often lead to significant breaches or hacks.

Brief Overview

To reveal the perpetrators we can look for clues like IP addresses and domains that were linked to the hack. Note that IPs and domains linked to hacks can also be referred to as Indicators of Compromise (IOCs), we will get into that subject later, but for the sake of brevity I will refer to IPs and domains as IOCs.

Now let's get back to the overview. You can search for IOCs in tools that provide information on the hackers, the hack, past investigations by other people that investigated the same IOCs. In our second example we will see that the IOCs were researched repeatedly over time in investigations of several hacks with the same hacking group suspected in each of those cases. 

First, we will start by showing you how to investigate a suspicious file in the tool Any.Run to find if it is malicious and IOCs linked to it.

Second, talk about IOCs and how to research them.

Third, in a second example we will see how to lookup reports and copies of malicious files linked to hacks that are available in publicly available databases.

Examine Phishing Emails with Any.Run

Phishing attempts often involve sending some sort of file and hoping the recipient clicks on it. These files can actually be investigated for threats or for information revealing the sender. Surprisingly, this kind of task does not require advanced cybersecurity knowledge. You only need a tool like Any.Run, which we will explore here. 

What is Any.Run?

ANY.RUN is what’s known as an interactive online malware sandbox, essentially a virtual computer system that duplicates the functionality of a real device. This platform enables cybersecurity professionals to execute and scrutinize malicious software safely, without the risk of harming their own equipment or network.

Why Use an Interactive Online Malware Sandbox?

Safe Environment: The sandbox is a completely isolated virtual space, ensuring that any malware introduced cannot affect the underlying host system or network. It's like observing bacteria under a microscope—totally contained and secure.

Real-Time Analysis: Platforms like ANY.RUN provide real-time interaction with the malware, which is critical since many types of malware only reveal their true behavior through user interaction, such as opening a document or clicking a link.

Direct Observation: Analysts have the ability to interact directly with the malware, triggering its functionalities by simulating user actions like clicking, entering data, or opening files. This direct observation helps analysts see exactly how the malware behaves in real time.

Comprehensive Reporting: As the malware operates, the sandbox meticulously logs its actions, from network attempts to system changes and file activities. These detailed reports are crucial for understanding the malware's tactics and for developing effective countermeasures.

Using ANY.RUN to Safely Open a Malicious Document When you upload a malicious document to ANY.RUN, the sandbox mimics what would happen if the document were opened under normal circumstances:

Executing the Document: The document is activated within the virtual environment, triggering any embedded scripts or code.

Monitoring Actions: The platform tracks the document’s behavior, noting any internet access attempts, communications with control servers, or activations of additional malicious payloads.

User Interactions: Analysts can simulate typical user interactions, like enabling macros or clicking document links, to observe any resultant behaviors.

Security Protocols: Throughout this process, ANY.RUN maintains strict isolation protocols to prevent any malware from reaching real-world systems.

Disclaimer

If you want to analyze a file that was actually emailed to you personally, you want to take caution when it comes to actually moving the file from your email to Any.Run. I recommend leaving that part to a cybersecurity expert. But if you want to throw caution to the wind and take the risk, I recommend that at the very least you open your email using a virtual computer and virtual browser. This does not guarantee safety but it is a step in the safer direction

I recommend using Browser.lol. Brower.lol provides web-based virtual computers with virtual browsers designed for safer web research. While nothing is completely risk-free, Browser.lol provides a safer environment for opening emails and downloading suspicious files before you upload them for analysis.

Any.Run walkthrough

Here we will go through the basics of analyzing a file in Any.Run and focus on finding information. 

First, head over to Any.run. You can create a free account, although you’ll need to provide a “business email,” meaning any email that doesn’t use a well-known domain like Gmail or Yahoo.

After uploading, Any.run will begin analyzing the file. Keep an eye on the top right corner of the page, which will tell you if a threat has been detected. Don’t assume the file is completely safe even if no threats are found—this is just the first step in your analysis.

Now, one of the most important things to look at is the IOC tab, which stands for Indicators of Compromise. These are the telltale signs that a file has been involved in suspicious or malicious activity. By examining the IOCs, you can find clues like unusual IP addresses, suspicious file modifications, or connections to known malware sources. 

Even if you’re new to this, the IOC section highlights key information, giving you a way to assess whether a file is safe or poses a threat. Later we will get into how IOCs are also used to identify the hackers behind a malicious file.

By focusing on these indicators, you can get a clearer idea of whether the file is part of a phishing scheme or malware attack, helping you move closer to identifying its source and purpose.

In our example, the file has been marked for suspicious activity so we find the IOC button and click on it.

Here we see the list of IOCs identified and if you hover your cursor over the symbols next to each IOC you will get a short explainer for its assessed threat level.

You can also pull up metadata from the document. All PDF files have metadata and this is listed under Static Discovering. So to find this information click on the file name. 

And here we see the metadata, showing tht the document was created on March 10th, 2021 using Microsoft Word 2016. In some cases the PDF metadata would even show you the name of the person who made it. In this case the Author is identified as “PayPal Support”, which does not fit with the fact that the sender claimed to be from Netflix Customer Support.

Let’s close this window and look at the right side of the main page, this shows a timeline of the processes that ran when the file was opened. We see that the process AcroRD32.exe is a concern.

Click on the process to pull up a detailed page below with an assessment and warning. If you examine the new window you see there is a More Info tab you can click for even more information

This pulls up a whole new page describing why it is deemed suspicious.

Let’s return to the main page. See that in the left top box there is an image of what appeared in the virtual machine display window when opening the file. There are a set of images in chronological order. Just hover your mouse to scroll between them. We see here that the pdf is allegedly (though obviously not) from Netflix asking you for your payment details.

 We have one more area to look at. On the bottom left there is a tab for “Threats”

Click on the tab for more indicators of traffic (initiated by the file) that could be signs of threats. An example could be that the file initiates sending a message back to the hackers saying “send malware here”.

That is a basic overview of how you can check out a suspicious file with Any.Run

The main point here is that even if you don’t have any knowledge in this subject area, you can still see if the file is identified as dangerous. There are other tools you could use for analyzing suspicious files, such as virustotal.com and hybrid-analysis.com

Tools for Investigating IPs and Other IOCs for Malicious Intent

When dealing with cyber threats, gathering intelligence is all about identifying and interpreting Indicators of Compromise (IOCs). These can include suspicious IP addresses, email information, file hashes, or URLs, and they provide vital clues in understanding and mitigating the threat. This section will cover essential tools and processes to investigate IOCs, track down attackers, and assess their capabilities.

One of the best resources for tracking malicious activity is Abuse.ch, a research project that helps cybersecurity professionals track malware and botnets. Hosted by the Institute for Cybersecurity and Engineering at the Bern University of Applied Sciences, Abuse.ch provides several platforms for monitoring and investigating malware-related threats:

• Malware Bazaar - A repository for sharing and finding malware samples.
• Feodo Tracker - Tracks botnet command and control (C2) infrastructure, particularly related to well-known botnets like Emotet, Dridex, and TrickBot.
• SSL Blacklist - Provides a blocklist of malicious SSL certificates and JA3/JA3S fingerprints to help identify suspicious SSL traffic.
• URL Haus - Tracks and shares information about sites distributing malware.
• Threat Fox - Focuses on sharing IOCs, making it a valuable resource for identifying compromised domains, IPs, and other malicious data points.

These platforms offer a robust starting point to identify malicious entities. Whether you’re hunting down a botnet or trying to track down the infrastructure used in phishing campaigns, Abuse.ch can give you crucial insights.

For URLs, tools like Level Blue Labs and URLScan.io allow you to check if a site is involved in phishing, malware distribution, or other malicious activities. By inputting the suspicious URL, you can see the connections it makes and any scripts or redirects it uses. This helps you determine whether the URL is dangerous before taking further action.

URL Scan also lets you lookup past scans (https://urlscan.io/search/) which in this case lets us see what the URL Scan results were back in 2021.

Also, be on the lookout for shortened URLs (like "bit.ly4enla45c" or "tinyurl.com/4emdh45c"). There are several open source tools to unshorten those URLs and discover the true domain destination (such as unshorten.it, urlex.org, and checkshorturl.com).

When it comes to IP addresses, using Cisco’s Talos Intelligence platform is an effective way to gather background information. Talos provides information on IP reputation, domain behavior, and any associated malicious activity. It’s a valuable tool for understanding whether a specific IP has been involved in previous cyberattacks.

Phishing Email

Let’s use a real life example. A crypto company was hacked in 2021 and the company released a screenshot to the public of the phishing email sent to the company before the attack.

Finding the Document

From the screenshot we know the phishing document was named “Pantera Capital Investment Agreement(Protected).docx” and that it was sent to the company in April 2021.

So we want to search for a file named "Pantera Capital Investment Agreement(Protected).docx" uploaded in 2021 to ANY.RUN. Any.Run is a very popular tool that is used by cybersecurity professionals around the world so it is reasonable to expect that someone would have used this tool to inspect such a file. As noted, Any.Run has public reports on its analyses going back years.

To start, begin by logging into the ANY.RUN platform. If you do not have an account, you will need to register for a free one.

Use the search function to locate the file by name, hash, or other identifiers. If the file has been shared publicly within the ANY.RUN community or submitted non-confidentially, it should appear in their database. With this information we open a malware analysis database like Any.Run and use the general search function. 

It appears that an unidentified user had sent the document to Any.Run for analysis back in April 2021, and the website retained a version in its records database

We open the Any.Run report on the file. If we wanted to do so, we could also choose to have Any.Run open the file again in a sandbox but that is not necessary right now because the report has all of the information needed. 

Right off the bat, we see that in one of the virtual desktop’s screenshots that opening the document initiates Microsoft Word.

If you look closely you see that there is a message informing the user that Word is downloading something from the domain “download.azure-safe.com” 

The report shows that upon opening the document, the file made automated requests to the following domains and IPs:

• 104.168.249.46
• 23.45.105.185
• 195.138.255.17
• 195.138.255.18
• http://x1.c.lencr.org
• http://r3.o.lencr.org
• download.azure-safe.com
• azure-drive.com
• http://help.nflxext.com

Two domains use the word "Azure" in reference to the Microsoft cloud computing platform Azure and are used to give the appearance of legitimacy. However, The domains are not actually owned by Microsoft.

Automated Analysis 

 Using the tool it is possible to get an automated analysis of the overall information or a specific process. 

In order to investigate the document’s automated requests, I selected one in particular and then clicked on the small button on the right that says "ChatGPT" in order to get ChatGPT to provide an analysis and explanation

ChatGPT analyzed an HTTP Get request to the URL “r3.o.lencr.org”

The analysis report essentially says that this process could be part of an innocuous file’s processes but it could also be used for malicious purposes.

But there is an aspect of the report that is highlighted. Specifically, that the process used “encoded URLs”. It is not necessary to understand the meaning of “encoded URLs”, because the report explains why it is relevant. The report states that this process is used for sending and receiving encoded data to and from a remote server. In other words, once the file is opened on someone’s computer, it starts communicating with someone/something on the Internet.

The report explains that this kind of process could be used to hide malicious activities such as stealing data from the computer or communicating with a remote malicious actor and downloading malware to the computer. 

This assessment means that it is very important for investigators to research those URLs, domains, IPs.

IP Investigation

In order to investigate the Ips and Domains, I will walk through one as an example. We can use the tool https://otx.alienvault.com/

We use the basic search function and search for "195.138.255.18" which pulls up the following information:

We see two hits.

The first is a page with information from analysis of the IP address itself. The second hit is for an analysis of a malicious file which is linked to the IP.

IP Analysis:

The second hit shows that the IP was listed in a report on a malicious file.

Note that at the top you see a string of characters under the heading "FILEHASH". Without getting into what hashes actually are, it's worth knowing that this is a unique identifier for the file so you can search for it here and else.

It is clear that several years beforehand, a malicious document made automated calls to the same IP address.

So this is definitely suggesting malicious activity. But our concern is less about what and more about who.

Going down our list of IOCs, we use the same tool we lookup the  “Azure-drive.com” domain.

The resulting hit from OTX lays out our answer in clear terms.

The domain was reportedly used by North Korean hackers known as the Lazarus Group to steal cryptocurrency.

https://otx.alienvault.com/indicator/file/709ec9fbbc3c37ccd39758527c332b84

Let's review. We investigated a crypto address and discovered it was linked to a hack. A copy of the malicious file used by the hackers revealed that the perpetrators were the Lazarus Group. 

We also see that the website gives us various hashes related to the document, these are useful if you want to safely search for information about the file. You can copy and paste the hashes into a keyword search. 

Using that hash, we can safely look up the file in other tools like Virus Total. In doing so, we see that an identical file was flagged by 29 security vendors. 

https://www.virustotal.com/gui/file/1939d9fdcf831dc4cac001ba193669c75a336258bc99a1775471554229e4a69b/detection/

The Virus Total results page also revealed a link to a documented  vulnerability. The vulnerability is identified as CVE-2017-0199 in the Common Vulnerabilities and Exposures (CVE) system.

This vulnerability can be exploited through a specially crafted Microsoft Office document allowing remote attackers to execute any code on the victim's computer. 

CVEs can be looked up on websites like cve.org for more information. By Googling the CVE number, we would find an article stating that this CVE has been repeatedly used by the Lazarus Group to steal cryptocurrency.

Conclusion

In essence, investigating phishing attacks boils down to understanding the indicators and leveraging the right tools to expose malicious activity. By using platforms like Any.Run and diving into IOCs, even those without extensive cybersecurity knowledge can uncover key details. Whether it’s identifying suspicious IPs or analyzing files linked to hacks, these methods equip investigators with the ability to trace the origins of attacks. The more you practice and refine your approach, the quicker you’ll become at spotting patterns and identifying perpetrators in future investigations.