A technique is being used in the distribution of multiple families of malware that obfuscates the end destination of a URL by abusing the URL schema. Mandiant tracks this adversary methodology as "URL Schema Obfuscation”.
This article discusses a technique used by malicious actors to obfuscate the destination of a URL by abusing the URL schema. This technique, known as "URL Schema Obfuscation", can increase the likelihood of a successful phishing attack and can cause domain extraction errors in logging or security tooling. It can also bypass network defense tools that rely on knowing the server a URL is pointing to, resulting in gaps in visibility and coverage.
The technique involves the usage of an "@" sign to obscure the destination server, as well as the usage of alternative hostname formats to obscure the destination IP address. These alternative formats include single integer representations, hexadecimal, octal, and mixed-type representations, as well as padded values. Additionally, domains can be used to make the destination look like a legitimate site.
VirusTotal shows usage of this technique dating back to at least February 2022, and it is likely still being used because it is working for the attackers. It is commonly used to download additional malware for execution, and has been seen exploiting multiple vulnerabilities to gain code execution on the victim.
To detect this technique, network traffic analysis won't show it in use, as the username field is stripped out and the integer representation of the IP address is changed to the dotted-quad format. However, file-based analysis like YARA or AV/EDR can reveal tools using URL schema obfuscation, as can process execution logs. Additionally, a YARA rule is included that can find it in Office documents, RTFs, and PDFs.
Defenders need to ensure security tooling and logging systems are able to detect, identify, and parse the correct indicators to ensure defenses aren’t bypassed by using a format that isn’t RFC-compliant. In lieu of other indicators, detection of URL Schema Obfuscation using the provided YARA rules can be a malicious indicator in itself, helping to detect and prevent intrusions.
Overall, this article provides an overview of URL Schema Obfuscation, how it is used, and how to detect it. It is important for defenders to be aware of this technique and take steps to ensure their security tooling and logging systems are able to detect and parse the correct indicators.
📓 Don't @ Me: URL Obfuscation Through Schema Abuse
👉🏽 A technique is being used in the distribution of multiple families of malware that obfuscates the end destination of a URL by abusing the URL schema. Mandiant tracks this adversary methodology as "URL Schema Obfuscation”. 👉🏽 URL Schema Obfuscation is a malicious technique used to obscure the destination of a URL. 👉🏽 This technique can increase the success rate of phishing attacks. 👉🏽 It can also cause errors in domain extraction, logging, and security tooling. 👉🏽 URL Schema Obfuscation can bypass network defense tools and create visibility gaps. 👉🏽 The technique uses an "@" sign and alternative hostname formats to obscure the destination IP address. 👉🏽 It can also use domains to mimic legitimate sites. 👉🏽 VirusTotal shows this technique has been in use since at least February 2022. 👉🏽 It is commonly used to download malware and exploit vulnerabilities. 👉🏽 Network traffic analysis won't show this technique, but file-based analysis and YARA rules can reveal it. 👉🏽 Defenders must be aware of this technique and ensure their security tooling and logging systems can detect and parse the correct indicators.
#URLSchemaObfuscation #PhishingAttack #SecurityTooling #Malware #DetectionTechniques