Write in front
FOFA is very advantageous in terms of asset and thread extension, but many masters don’t quite understand how to operate it and which features should be extracted. Where do the clues to look out for come from? Which syntax can be used to achieve line extension?
The main reason is the lack of ideas and methods for finding clues. How to learn and use clues and grammar to complete asset collection and clue expansion is an indispensable and important part of network security.
Today we will explore this topic step by step, taking the “Silver Fox” organization as an example, and demonstrate through multiple examples how to use FOFA to further expand sample assets to expand our results!
Case Introduction
“Silver Fox” is a hacking tool that has been widely spread in a decentralized manner. According to Weibu’s research, any attacker can obtain and use it. Currently, there are as many as 5 active and disclosed gangs detected. There are more unknown or undisclosed black actors who continue to use the Silver Fox Trojan.
The “Silver Fox” Trojan is a type of malware that specifically targets the management, finance, sales and e-commerce sellers of enterprises and institutions for phishing attacks. Attackers obtain computer control rights through remote control Trojans, stay for a long time and monitor user operations, and then use chat tool software to commit fraud.
There are three common transmission paths:
1.Instant messaging communication, using QQ, WeChat, etc. to send inductive files or links. 2. Phishing website propagation, disguised as a website of the tax authority, using WeChat to phish. 3. False software spread, disguised as common software, purchased traffic and spread on search engines. This type of Trojan uses adware for bundled promotion, utilizes complex forms of malicious exploitation, and presents a multi-stage delivery method. This article will focus on the line expansion capabilities of FOFA and share how to use FOFA to expand the results after obtaining sample assets.
Sample line extension ideas display
Sample 1 comes from 360 Sandbox Cloud Report: “360 Sandbox reminds you: Pay attention to the “Silver Fox” Trojan”
Based on known clues, we obtained the domain name “http://b.zjsdfg.cn“, and its resolved IP address is “211.99.98.76“. At the same time, based on the clues in the screenshot, we learned that his original text contained the keywords “DingTalk PC version” and “Solving office collaboration problems for enterprises“.
Convert these clues into corresponding FOFA syntax queries as follows:
ip="211.99.98.76" body="DingTalk PC version" & amp; & amp; body="Solving office collaboration problems for enterprises"
First, let’s do an IP query via FOFA and see if we can find information related to this IP.
After IP query, we confirmed that the title of the suspected phishing website under this IP is “DingTalk PC Version-App Market Download“, but this is not our focus. The important thing is that under the same IP, we found a new clue: “down.cstny.xyz“. You can use the following query syntax to check more information related to this IP:
ip="211.99.98.76"
Querying using the asset-associated SDK feature, we obtained 24 records, including 6 unique IP addresses.
sdk_hash="5IcXyBJ8QrxlDLQFTl2DCHG0Z42JHfk6"
Continuing to dig deeper into his other characteristics, keywords in the title and body, there are 18 assets and 6 independent IP hits.
title="Official download of Baidu Netdisk PC version" & amp; & amp; body="Template"
Based on the assets we searched, we looked at the original text of the website saved by FOFA, and we can see very interesting trends.
From the original text of the web page we opened, we can clearly observe the download link of the Trojan and its changing process. We can see its transition fromlocal storage to cloud storage, and beyond that, there are obvious similar characteristics. These similar characteristics can further expand our information collection.
In the original message, we can see some obvious same features, such as “downapp“, “count“, “fileurl“, etc. Furthermore, it was also revealed that they share the same “js_name” trait. Therefore, we can continue to drill down using the following search syntax, which results in 28 hits and 7 unique IP addresses.
js_name="static/js/quanzhan.js" & amp; & amp; body="downapp"
After completing the IP clue development, we will focus on the second clue, that is, the features of the original page of the sample to extract:
body="DingTalk PC version" & amp; & amp; body="Solving office collaboration problems for enterprises"
And this time, based on the results, we discovered a number of new characteristic assets. via the following titles:
title="DingTalk PC version-Master Lu App Store download"
We obtained 3 search results, which will help us learn more about “DingTalk PC version” related information.
Additionally, we discovered a new IP address: 43.248.190.199. Searching this IP revealed new signature clues, with the new title clues being:
title="OBS Screen Recorder_Official_Simple and easy ultra-clear screen recording software_Computer screen recorder"
This new clue will help further expand our information collection and analysis to obtain 3 independent domain names.
Syntax splicing can be further performed by analyzing the js_md5 value in his body and adding the common features of the tool discovered above.
The constructed new phishing website query syntax is:
js_md5="a13f7f208ba534681deadb1ec7a2e54a" & amp; & amp; body="downapp" & amp; & amp; (body="count" || body="fileUrl")
New title clues appeared in the search results. We continued the search using title syntax and obtained 18 independent subdomain names and 2 independent IPs.
title="Silhouette·Paipai_Official_Simple and good video editing software_Computer video editing"
The retrieved results are as follows:
jy15.lianhuawangluo03.xyz jy.hehuashangwu04.xyz jy.hehuashangwu01.xyz jy.lianhuawangluo17.xyz ad.jianying-pro.cc jy15.lianhuawangluo09.xyz jy.hehuashangwu04.xyz jy.hehuashangwu01.xyz jy.hecishangwu.xyz jy.hecishangwu.xyz jy.lianhuawangluo17.xyz 150.109.76.206 124.156.185.102 jy.hehuashangwu20.xyz jy1.hehuashangwu11.xyz jy15.lianhuawangluo09.xyz ad.jy2023.cc jy15.lianhuawangluo03.xyz jy.hehuashangwu20.xyz jy1.hehuashangwu11.xyz 124.156.134.59
When observing the results, we can find some rules. Most of these domain names are composed of “hehuashangwu” and “lianhuawangluo” followed by two digits. . Then we can use FOFA’s fuzzy search function to build a new query syntax, hitting 107 assets and 34 independent IPs.
host*="*.lianhuawangluo.xyz" || host*="*.hehuashangwu.xyz"
At this point, based on the assets of this sample, we have completed the extraction of many features. We are finally building a new grammar based on known features, a wave of stud.
body="function downapp" & amp; & amp; (body="count" || body="fileUrl") & amp; & amp; (body="exe" || body="msi" || body="zip")
136 assets and 35 independent IPs were successfully found. Through the search results, more phishing websites appeared, including Douyin Desktop, WPS, Baidu Netdisk, Xunlei, winrar and so on. These phishing websites are all pretending to be related to this Trojan, which is an interesting finding.
Okay, let’s sort out our thoughts and continue exploring another sample.
Sample 2 Sourced from Tinder Report: The “Poison Rat” backdoor virus has been upgraded and spread through fake official websites.
We inquired about information related to this asset through the FOFA platform. This time, we will directly use the fid value marked on the asset to expand the line:
fid="VAaTqhs0Tw/lp4YjN7vWlw=="
Based on the current asset clues, we successfully queried 12 assets and 4 independent IP addresses. Through this information, we obtained the download address of the Trojan:
hxxps://vv[i]ipp.xykr[s]ii.cn/tsetup-x64Chinese.exe
By parsing its IP, the user identity information bound to whois can be queried through the open source platform. Of course, we only use FOFA for clue expansion today and will not further demonstrate other content.
We continue to explore Sample 3, which comes from the report of Weibu Online: “Situation Pictogram: Beware of a new round of phishing attacks launched by the Silver Fox Organization”.
Query through his domain name luthj.sbs and perform fission to obtain the key features of his assets as before.
Of course, clues can be further expanded either through FOFA’s unique FID fingerprint or using the SDK features mentioned above. This time we chose to extract his body information. key features.
Based on the extracted features, we generated the following search statement and found 109 results and 10 unique IP addresses.
body="Shadow network file transfer system kiftd v1.1.0-RELEASE" & amp; & amp; body="Ticket Service"
Summary
Silver Fox is a widely used tool. Its main idea is to create a phishing website disguised as a download page for common software, and then send it to the victim’s mailbox in the form of a phishing email to induce them to download Trojan files. Through the exploration of a series of assets, it was found that some related phishing website domain names follow certain rules, and the corresponding phishing website assets can be traced according to these rules.
In addition, different types of phishing websites often contain the same keywords, such as “js_name” or “downapp“, which suggests that these phishing websites may come from the same organization.
In this real Silver Fox case analysis, we used a variety of FOFA query syntax, including syntax ip, body, host, sdk_hash, title, js_name, js_md5, fid and fuzzy matching function, to Expand asset lines. The entire line development process relies on the powerful search function of FOFA, but more importantly, the method of discovering clues and thinking. I hope this case can help masters better use FOFA for asset expansion and information collection, and maximize the value of FOFA.
The results of deduplication after line expansion in this case are as follows:
103.143.159.111 103.143.159.94 103.143.159.98 103.15.104.242 103.163.46.172 103.253.13.59 103.36.166.149 104.21.15.115 104.21.16.191 104.21.30.24 104.21.33.112 104.21.4.219 104.21.44.41 104.21.50.201 104.21.63.17 104.21.67.152 104.21.83.241 104.21.89.234 110.42.2.115 114.134.189.99 114.29.254.8 114.29.255.45 121.37.160.16 123.60.48.116 124.156.134.59 124.156.185.102 150.109.68.68 150.109.76.206 154.213.26.46 156.241.132.69 172.67.130.220 172.67.140.212 172.67.143.80 172.67.148.236 172.67.150.109 172.67.161.227 172.67.166.144 172.67.177.134 172.67.178.193 172.67.183.119 172.67.192.54 172.67.194.205 172.67.197.152 172.67.202.4 18.166.188.156 18.228.225.125 206.238.115.108 211.99.98.76 211.99.99.150 23.225.205.171 23.225.205.173 23.225.7.163 23.225.7.166 2345zip.hehuashangwu02.xyz 2345zip.hehuashangwu02.xyz:21 361.ploos.top 38.47.106.189 43.129.172.114 43.154.136.10 43.154.192.213 43.154.23.202 43.154.49.3 43.154.61.105 43.154.80.187 43.155.69.56 43.248.190.199 45.116.166.251 45.116.166.27 45.116.166.40 45.125.51.25 45.125.51.7 45.204.83.22 45.204.83.42 47.240.76.132 47.242.43.15 59.56.110.104 60.204.174.33 8.217.38.145 96.43.110.12 96.43.110.26 96.43.110.27 a.fhuehuy7.cn a.zjsdfg.cn a1.nykoy06.top aa.nykoy01.shop aa1.sdsl07.top aa2.sdsl07.top aa3.sdsl07.top ab.nykoy01.shop ad.jianying-pro.cc ad.jy2023.cc ad.nykoy01.shop al.fapiaozx.com antey.sbs asdfghwin02.hhzef.cn asdfwspp03.whroz.cn atjzw.sbs autodiscover.atjzw.sbs autodiscover.ghfdt.sbs autodiscover.ijytr.sbs autodiscover.ktfgr.sbs autodiscover.nefgs.sbs autodiscover.pjuyt.sbs autodiscover.vrheg.sbs autodiscover.yrfgd.sbs b.fheuheg8.cn b1.nykoy06.top c.zjsdfg.cn cff01.027jly.com cpanel.ghfdt.sbs cpanel.ijytr.sbs cpanel.ktfgr.sbs cpanel.nefgs.sbs cpanel.pjuyt.sbs cpanel.vrheg.sbs cpanel.yrfgd.sbs cpcalendars.atjzw.sbs cpcalendars.ghfdt.sbs cpcalendars.ijytr.sbs cpcalendars.ktfgr.sbs cpcalendars.nefgs.sbs cpcalendars.pjuyt.sbs cpcalendars.vrheg.sbs cpcalendars.yrfgd.sbs cpcontacts.atjzw.sbs cpcontacts.ghfdt.sbs cpcontacts.ijytr.sbs cpcontacts.ktfgr.sbs cpcontacts.nefgs.sbs cpcontacts.pjuyt.sbs cpcontacts.vrheg.sbs cw.mandongzuoxinxi.cn dd.sdsl06.top dd001.wolfing1235.cn ding.qdjyswkj.com ding.yincaitong.com.cn dingd.wolfing1234.cn dingding.fjeihg3.cn dou.qdjyswkj.com doushop.lianhuawangluo07.xyz down.cstny.xyz down.qianniu.icu down.qianniu2023.cc dsf01.whnmzw.cn fapiaoi.com fwiop.club fyjughk.top fyjughk.xyz fz.mandongzuoxinxi.cn ghfdt.sbs hfmzkj.top hjklnmwps04.hhzef.cn huiyi.sxnjal.cn huiyix.icu hy.fjehh9.cn ijytr.sbs jetdh.sbs jhges.sbs jy.hecishangwu.xyz jy.hehuashangwu01.xyz jy.hehuashangwu04.xyz jy.hehuashangwu20.xyz jy.lianhuawangluo17.xyz jy1.hehuashangwu11.xyz jy15.lianhuawangluo03.xyz jy15.lianhuawangluo09.xyz ktedy.sbs ktfgr.sbs kyy.fdjh7889.top lian.qianmouren.top luthj.sbs m.atjzw.sbs m.ghfdt.sbs m.ijytr.sbs m.ktfgr.sbs m.nefgs.sbs m.pjuyt.sbs m.vrheg.sbs m.yrfgd.sbs mail.ghfdt.sbs mail.ktfgr.sbs mail.nefgs.sbs mail.pjuyt.sbs mail.vrheg.sbs nefgs.sbs office.hehuashangwu07.xyz office1.lianhuawangluo20.xyz office2.hehuashangwu13.xyz office2.hehuashangwu20.xyz office2.lianhuawangluo02.xyz office2.lianhuawangluo08.xyz office22.lianhuawangluo15.xyz p.fjehyy6.cn p.fjeihg9.cn p.njcsdaq.top pdf.nykoy06.life pdf.ogkkl.top piaojufw.cyou ppdf.nykoy01.top pssabe.mboworld.com pyxiaoyuan.com qn.hflh2.cn qwertps01.whroz.cn rar2.hehuashangwu16.xyz sa.asog510.com sdf.kemanxing.top sg.pdfqo05.top sg.yysk982.com shanghu.hehuashangwu12.xyz smtp.atjzw.sbs smtp.ghfdt.sbs smtp.ijytr.sbs smtp.ktfgr.sbs smtp.nefgs.sbs smtp.pjuyt.sbs smtp.vrheg.sbs smtp.yrfgd.sbs sogou1.hehuashangwu10.xyz sogou2.lianhuawangluo04.xyz sogou2.lianhuawangluo10.xyz sougou22.lianhuawangluo24.xyz sougou22.lianhuawangluo25.xyz sss.fhgges.cn telegramde.sbs telegramvesl.org telegrrram.com txhy.qfmailw.com tyujlih.icu urbgv.sbs vrheg.sbs w.fegee8.cn w.iejhfh5.cn wang.hfqc3.cn wang.iowxk1456.top wang.mboworld.com wang.yyghzmd.cn wangp.winaaa.top webdisk.atjzw.sbs webdisk.ghfdt.sbs webdisk.ijytr.sbs webdisk.ktfgr.sbs webdisk.nefgs.sbs webdisk.pjuyt.sbs webdisk.vrheg.sbs webdisk.yrfgd.sbs webmail.atjzw.sbs webmail.ijytr.sbs webmail.nefgs.sbs webmail.pjuyt.sbs webmail.vrheg.sbs webmail.yrfgd.sbs wf1.sdsl02.top win.tzhzkj.com winar.nykoy01.top winrar.nykoy06.life wkl.nykoy01.top wp.fhufe9.cn wp.herdc.com wp.hflh2.cn wp.hfmzwl.top wp.hfyx3.cn wp.pdfqo05.top wp.wsp51si.top wp.ycmzwy.cn wppp1.hfmzwlkj.top wps.nykoy06.life wps.qdjyswkj.com wps2.hehuashangwu05.xyz wpss.nykoy01.top wwp.sagh5293.top wwps.tzhzkj.com www.atjzw.sbs www.fwiop.club www.ghfdt.sbs www.hehuashangwu02.xyz www.hehuashangwu04.xyz www.hehuashangwu05.xyz www.hehuashangwu06.xyz www.hehuashangwu07.xyz www.hehuashangwu08.xyz www.hehuashangwu09.xyz www.hehuashangwu14.xyz www.hehuashangwu19.xyz www.hehuashangwu20.xyz www.ijytr.sbs www.ktfgr.sbs www.lianhuawangluo13.xyz www.lianhuawangluo14.xyz www.lianhuawangluo20.xyz www.lianhuawangluo21.xyz www.lianhuawangluo22.xyz www.lianhuawangluo24.xyz www.lianhuawangluo28.xyz www.lianhuawangluo29.xyz www.lianhuawangluo38.xyz www.lianhuawangluo39.xyz www.lianhuawangluo39.xyz:22 www.lianhuawangluo39.xyz:43080 www.luthj.sbs www.piaojufw.top www.pjuyt.sbs www.swqe.sbs www.telegramde.sbs www.telegramvesl.org www.telegrram.com www.vrheg.sbs www.yfapiao.cyou www.yfapiao.top www.yrfgd.sbs www.yunfpzx.com xjtdf.sbs xl.hflh2.cn xun.hfyx1.cn xunl.hfqc3.cn xunlei11.hehuashangwu15.xyz xunlei11.lianhuawangluo01.xyz xunlei11.lianhuawangluo12.xyz xunlei11.lianhuawangluo23.xyz xunlei11.lianhuawangluo25.xyz xw.wsopkf.top xwbb.mmwu710.com yrfgd.sbs yunfpzx.com yunvfapiao.com yxc16.chenqingwen.top yyds.hnxbkjyxgs.com yyts08.hhzef.cn zip1.hehuashangwu18.xyz zip2.lianhuawangluo05.xyz zip2.lianhuawangluo11.xyz zuo.zhangsilei.top zxcvbbnnca03.hhzef.cn zxcvvbrar02.whroz.cn
Reference articles:
https://mp.weixin.qq.com/s/ae1iOSrUOrGBhERyjqZJIQ
https://mp.weixin.qq.com/s/jy_iVqXB3QLgsaxApVXc5A
https://mp.weixin.qq.com/s/WmLekqCN3sOy3_JQlMvyVg