Last week we announced the addition of a new, free data source inside of PassiveTotal, Open Source Intelligence (OSINT). The source has already paid dividends in saving us time and helping add more context, but it wasn’t until last night when reviewing RSA’s GlassRAT report that it really sunk in how much this simple overlay could augment the analyst workflow.
Whenever we observe a new report or blog post with indicators, we make a point to add it to the PassiveTotal OSINT repository, so that the data is available to our community of users. After doing that, Steve or myself will leverage our bulk upload feature to automatically tag and classify the indicators with our own names or context inside our PassiveTotal organization. Doing so helps us keep track of threats and find good examples to showcase during demos.
Once we have the data inside of the platform, we will generally go through the indicators to identify any overlaps or new connections that weren’t mentioned in reporting. When looking at the GlassRAT activity, I started with ftp.news-google[.]net.
Before we had OSINT, it was cumbersome to identify which items were part of public reporting verses items we had tagged or classified on our own. In the above screenshot, we can see that RSA included two of the IP addresses in their report, but what about the other ten or so records? Are they related to the threat?
Pivoting around on some of the unknown IP addresses instantly leads to some new domain discoveries. The above screenshot shows an interesting color pattern within the DNS results table with some entries being red, while others are white. If you remember earlier, we took the indicators from the RSA report, bulk uploaded them and classified the relevant infrastructure as malicious. Classifying the domains as malicious causes them to show up highlighted in red as we pivot in the future.
So what’s the big deal? How is PassiveTotal changing the way I do analysis? The answer here lies within the color patterns and tag combinations. Without any understanding of the GlassRAT infrastructure, I am quickly able to identify several domains (deepcyber009) that were not in the report that are likely related to the threat.
Running a more comprehensive wildcard search on deepcyber009[.]com reveals 20 unique subdomains with more IPs of interest that lead to additional infrastructure. Beyond the new data points, it’s clear there are patterns to some of these subdomains (newsgdeep, newsgpt, newsgfox, etc.) that could be used as seed queries on the existing domains RSA analysts discovered.
Normally, doing a post-investigation like this could take hours without the proper tools. PassiveTotal was built for these exact use case - empowering the analyst to make new discoveries quickly and efficiently. There are tons of additional leads off the GlassRAT infrastructure not explicitly mentioned in the RSA report. If you don’t have a PassiveTotal account, sign-up for free and begin exploring.