URLhaus – Polarity

Start by configuring the URLhaus integration, Configure > Integrations > URLhaus, click Settings.

Select the Entity Types to search for & Minimum URL Count.

If you are an Administrator you can change:

  • Ignored Entities
  • Ignored Domain Regex
  • Ignored IP Regex

Using Polarity.io’s URLhaus integration, an analyst can quickly:

  • Gain more insight into a bad actor or group.
  • Collect valuable information about an attack.
  • Uncover information about any malware related to an attack & its origins.

Below we have an attacker IP address. Using URLhaus we will try to gather more information about the attack and actors behind it. Copy the address and right click the Polarity Interface. Click “search clipboard” to run the IP address.

This returns a few results.

Click on the URLhaus icon to navigate to the URLhaus results.

URLhaus icon

It has returned some details about:

  • When the URL was first seen
  • URL Count
  • Spamhaus Status
  • SURBL Status

Information about the URLs:

  • Malware URL
  • More Info with a link
  • URL Status
  • Date Added
  • Threat Type
  • Reporter

The IP address we started with is confirmed to have been serving malware and the URLs are still online.

Record this information as we go in a text pad, or annotate to save the data, It all is useful.

Click “View in URLhaus” link in the Polarity overlay console to be brought the the webpage with an entry for the IP.

It is shown that the Country of Origin is China and still active.

Click one of the URLs and you will be brought to the Database Entry for that specific URL.

Click on the Mozi Tag to be brought to the webpage for that group. They stand out as hacking group with 885,611 sightings.

Mozi Group Tag

Next, go back to the previous page with the IP Database Entry. Click the URL links, in this case:

  • http://171.43.33.73:42355/bin.sh
  • http://171.43.33.73:42355/Mozi.m

There are more data points about the URLs being used to serve malware.

There is Information about the payload, links to Virus Total & Malware Bazaar.

Click on the Virus Total & Malware Bazaar links.

Virus Total shows this is a type of Trojan/Backdoor and Botnet.

Malware Bazaar Intelligence suggests Mozi attacks may be of Russian origin as well.

Malware Bazaar’s Vendor Threat Intelligence reports this malware as a malicious Trojan & Botnet.

With the URLhaus integration for Polarity, an analyst can gain insight into an attack on their organization in minutes.

Leave a Reply