Case Study: Leveraging OpenCTI to investigate a phishing attack
It all started with several weird comments that had been added to OpenCTI/BAS GitHub issues within seconds to minutes of their creation. These suspicious activities caught our attention and led us to embark on an in-depth investigation using OpenCTI, the shoemaker has its shoes on this time.
This case study details our journey through the investigation process and highlights how we leveraged OpenCTI to uncover valuable insights about this phishing attack.
Initial Observations
The first red flag was raised when we noticed unusual comments appearing on GitHub issues for the OpenCTI and OpenBAS repositories. These comments were being posted remarkably quickly after the creation of new issues, raising suspicions about their authenticity.
Here are some examples of the suspicious messages we observed:
Investigation Objectives
Given these suspicious activities, we set out to answer the following key questions:
- Are these comments truly malicious, or just unusual?
- Is this a targeted attack against Filigran repositories and organization?
- Who is behind these activities?
- What are the motivations of the actors involved?
With these objectives in mind, we began our investigation using OpenCTI to uncover the truth behind these suspicious comments.
Investigation Process
1. Analyzing GitHub Accounts
Our first step was to investigate the GitHub accounts responsible for these comments. Interestingly, we found that these accounts were only accessible for a short time after the comments were published. Attempts to access them later resulted in 404 errors, suggesting that the accounts were being deleted shortly after use.
However, we were able to retrieve some information from internet archives. We discovered that some of these accounts had recent activity, with several repositories that were mostly empty. For instance:
- The “Wanderx13” account had repository names in Portuguese, seemingly related to school projects (??)
- The “coffincolors” account had repository names in English.
2. Analyzing Malicious Links
All observed URLs followed a specific pattern: https://www.mediafire.com/file/<random_string}/fix.<extension>/file
The random string was always a 15-character alphanumeric string, and the extension was typically an archive format like .rar or .zip.
Interestingly, the files on MediaFire were no longer available at the time of our investigation. We either encountered a “file not found” message or a warning from MediaFire.
3. Leveraging OpenCTI
To deepen our investigation, we turned to the tool in our hands, OpenCTI. 🥳
Here’s how we used the platform:
Gathering Information
Using OpenCTI’s advanced search capabilities, we discovered that URLs with the same pattern had been reported by multiple sources, indicating that this was a known tactic.
The oldest reported URL dated back to July 2023.
Identifying the Threat
Our investigation in OpenCTI revealed that the sources of information were quite varied, suggesting that this technique might be managed by a phishing kit used by several actors. However, we identified two main clusters pointing to:
- The malware Agent Tesla — Agent Tesla is a spyware Trojan written for the .NET framework that has been observed since at least 2014.
- The intrusion set Hagga — Hagga is a Pakistani actor who has been tied to extensive malware campaigns since 2018 and whose tools have been used by others, including Nigerian actors. Hagga’s activities overlap with some Gorgon Group activity, though as yet there is no conclusive evidence to tie him to the group.
Results per Investigation Objectives
1. Malicious Nature of Comments:
- Confirmed malicious: The comments contained links to MediaFire files that were flagged as potentially harmful.
- The URLs followed a specific pattern associated with known phishing campaigns.
2. Targeted Attack Assessment:
- Not specifically targeted: The attack appears to be part of a broader phishing campaign affecting multiple GitHub repositories.
- Our repositories were likely targeted due to their popularity rather than a specific focus on Filigran.
3. Actors Behind the Activities:
- No single intrusion set identified definitively.
- Two main clusters were associated with the campaign: a. Agent Tesla malware b. Hagga intrusion set
4. Motivations of the Actors:
- Primarily financially motivated: The use of widespread phishing techniques and the involvement of Agent Tesla (a known info-stealer) suggest financial gain as the primary motive.
- The campaign’s broad nature and quick account changes indicate a focus on quantity rather than targeted attacks.
This investigation demonstrates the effectiveness of OpenCTI in rapidly analyzing and correlating threat data to provide actionable insights into emerging cyber threats.
You can take also this opportunity to investigate on the subject, directly on the OpenCTI public demo instance!
Read more
Explore related topics and insights