In examining the initial access of malware, it is evident that attacks do not always originate directly from a file. In today's attack chains, threat actors employ a variety of techniques, including phishing links, malicious JavaScript scripts, and methods to prompt users to download files from alternative addresses. However, there are instances when sandbox environments or the network you are on may not be conducive to analyzing these files to ascertain their trustworthiness. In light of this, we are announcing two new features designed to address this need of analysts.

• Fetching and analyzing the file from the URL
• URL Reputation and Threat Analysis

Fetching and analyzing the file from the URL

The growing number of phishing and file download attacks are currently keeping malware analysts and SOC teams more busy than direct file-based attacks. Going to each malicious URL, downloading the relevant file from those addresses and sandboxing it is a separate challenge. With Threat.Zone's new Fetch and Analyze feature, all you have to do is enter the URL where the file you want to download is located. The file hosted at that address will then be downloaded and delivered directly to the sandbox environment of your choice. With this newly added feature:

• Domains or IP addresses that may have been previously blocked in corporate networks, or in cases where it is necessary to re-analyze the attack vectors after an attack for operational investigation of the data obtained with tactical intelligence, you can download the desired file directly into the sandbox and analyze it,
• Protection from potentially malicious Javascript code on malicious websites visited,
• Not revealing the external IP address of the organization to the address you visit with JS codes that store visitor information,
• Provide a structure where you can always access your analysis data and correlate attacks. Here’s how the process works:some text
  • Static Analysis: The file is dissected without execution to uncover its structure, metadata, and embedded code. By performing hash checks, signature analysis, and inspecting the file for known malicious patterns, we can immediately identify common threats.
  • Dynamic Analysis: If the file is an executable or script, it is executed within a secure, isolated environment (sandbox). During this phase, we monitor for suspicious or malicious behavior, such as network communications, file changes, or process injections.
  • Emulation:  If you believe your file contains a shellcode, JavaScript, PowerShell, or Visual Basic script, you can also statically emulate these file types directly, which will generate the analysis output in a few seconds. 

This two-pronged approach ensures that any malicious content behind a URL is detected and reported before it has the chance to compromise the user’s system.

URL Reputation and Threat Analysis

Now that we've seen what you can do in scenarios where files can be downloaded, let's see what you can do with another new feature, 'URL Reputation and Threat Analysis', in cases where files cannot be downloaded or direct phishing attacks are coming.

‍

Another challenge in post-attack analysis is that the path of the malware may have been altered or the domain/IP address may be unavailable. For this reason, you may also wish to consider conducting reputational checks of the relevant domain in order to gain a comprehensive overview of all your phishing attacks, including cases where files cannot be downloaded. Given the challenges of threat intelligence and URL reputation analysis at a single organization, it is essential to perform blacklisting and threat analysis scanning of the URL, domain, or IP address in question. Threat.Zone offers a comprehensive solution, providing access to data from various IP/Domain blacklist services, threat feeds from abuse.ch including ThreatFox and URLhaus, and checks from CTX's TI database.

• Reputation Analysis: The URL is cross-referenced with various security databases, including blacklists and threat intelligence feeds, to determine if the URL or domain has been associated with known malware, phishing campaigns, or command-and-control (C&C) servers.
• Domain and IP Information: The domain and associated IP address are investigated to gather WHOIS data, SSL certificate information (if available), and geolocation data. This allows us to determine the domain’s age, the hosting provider, and whether the IP address has been flagged for suspicious activity.
• Threat Context: Beyond just a simple reputation check, we provide detailed context on how the URL or domain is linked to broader threat campaigns. For example, if a URL is identified as a C&C server for a botnet, we include that in the report, offering users greater situational awareness.

This deeper inspection is essential for identifying phishing sites, compromised domains, or malicious URLs that may not directly serve malware but are used to collect credentials or launch more advanced attacks. 

Critical Use Cases of URL Scanning

The URL Scanning feature was introduced in response to a growing number of customer requests, particularly from organizations facing URL-based threats in phishing campaigns or malware distribution. Here are a few scenarios where this feature proves invaluable:

• Phishing Protection: Many customers have been targeted by phishing attacks where URLs appear legitimate but redirect to malicious sites. With Threat.Zone’s URL reputation checks, these attacks can be preemptively identified, preventing several type of phishing attack scenarios like credential phishing.
• Blocking Malware Distribution: For organizations that manage web traffic or email gateways, the ability to check URLs for potentially harmful files before they are downloaded by users provides an extra layer of defense.
• Incident Response and Forensics: Security teams conducting post-attack investigations can use the URL scanning feature to identify where attacks originated and understand the infrastructure behind the threat. This helps in preventing future attacks by blocking malicious domains and IPs at the perimeter.

‍

‍

Future Enhancements

As part of our commitment to continuously improving Threat.Zone, we are working on enhancing the URL Scanning feature with behavioral analysis and historical data at the start of next year. These additions will allow us to monitor how URLs and domains behave over time, providing greater context and earlier detection of evolving threats. Historical data will also help track recurring threats, giving security teams the ability to see past trends and take proactive measures.

Conclusion

URL Scanning is a critical step in advancing Threat.Zone’s capabilities. By allowing users to scan URLs for both file-based threats and domain-level reputation issues, we added an even more comprehensive approach to being a holistic malware analysis platform. The URL scanning feature is designed to meet the demands of our users, and is now available and already making a significant impact in mitigating URL-based threats.

You can try URL scanning now and see its power yourself by creating your free Threat.Zone account.

‍