Threat Research

Illicit Brand Impersonation | A Threat Hunting Approach

Securonix

Brand impersonation has surged as a core concern, with attackers impersonating trusted brands to steal credentials and deliver malware across platforms. The piece highlights new tooling (VirusTotal NetIoc) and practical hunting approaches to detect and track these campaigns moving forward. Hashtags: #Kimsuky #USPS

Keypoints

  • Brand impersonation remains a persistent method for credential phishing and malware delivery across multiple platforms.
  • VirusTotal NetIoc expands the YARA engine to network telemetry, enabling broader network-data detection opportunities for threat hunting.
  • Phishing pages reuse content from the services they mimic (icons, body content, images), making detection rely on signals like favicon hashes and outgoing links.
  • Attackers mimic trusted pages (e.g., AWS login) through direct Google ads and other channels, driving credential theft and wider distribution.
  • Infrastructure reuse is common: campaigns reuse trackers (e.g., Yandex Tracker IDs) and other infrastructure elements across domains, aiding large-scale phishing.
  • Analyses of APTs (e.g., Kimsuky) show leveraging config.php and small scripts to enable credential theft, with NetIoc templates accelerating rule generation.
  • Effective threat hunting combines tooling (NetIoc), proactive monitoring of trackers, and sharing findings to disrupt brand-impersonation campaigns.

MITRE Techniques

  • [T1036] Masquerading – Adversaries masquerade as trusted brands by reusing login page content to harvest credentials. Quote: β€˜So how can we detect illicit login pages such as these? First, we have to note that many phishing pages reuse the content from the services they mimic, such as URL icons, body content, and images.’
  • [T1566.001] Phishing: Spearphishing Link – Attackers drive credential phishing via fake login pages/ads; Quote: β€˜This rule will trigger on any new URL which contains the same favicon used on the AWS login page or docs page, or contains an outgoing link to the legitimate AWS sign in page.’

Indicators of Compromise

  • [Domain] phishing domains – uspps-onlynee[.]biz, hetclick[.]biz, and 6 more domains
  • [IP] observed addresses – 167.172.113[.]157, 108.179.214[.]134, and 1 more IP
  • [SHA256] file hash – 256fa5009e8e82258876325b7d36f41cc3e74e85627663206b042eec8736ce6a
  • [URL/Path] credential-endpoint references – namsouth[.]com/config.php, reasope[.]org/config.php, voesami[.]com/config.php

Read more: https://www.sentinelone.com/blog/illicit-brand-impersonation-a-threat-hunting-approach/