As part of our ongoing effort to allow you to investigate any security incident, we have made an important expansion to the types of artifacts Intezer Analyze can help you with. We are very excited to announce the latest addition to Intezer Analyze – URL analysis.
The ability to quickly and effectively understand whether a certain URL poses a threat is valuable for many use cases: URLs are extremely common artifacts in suspicious emails and SOC alerts. They and are frequently encountered during incident response and malware analysis. MThis is due to the fact that modern cyber attacks typically involve the use of URLs in one or more ways:
- Credential harvesting links (phishing) – Links that lead to fake websites masquerading as a legitimate service in an attempt to trick the user to type theirhis private credentials and steal them. Typically used in phishing emails.
- C&C address – For communication with the malware operators. Malware often communicates via HTTP(s) with its C&C server in order to receive and send data.
- Malware drop sites – For downloading malware payloads. Malware droppers (e.g. a malicious PDF attachment) may use common file hosting services (e.g. Google Drive) in order to download malicious payloads while evading URL reputation-based filtering.
- Browser exploitation – Where a victim browses into a compromised website that will exploit a vulnerability in his browser in order to give the attacker control over the victim’s machine. Often used by exploit kits.
How do we tackle URL scanning?
Our goal was to build a comprehensive solution that attempts to provide reliable answers for the most relevant questions when you are analyzing URLs:
- Is this URL a threat?
- If so, what kind of threat is it?
- What does the webpage look like?
- Does it download a file? What is that file?
It was important for us to provide the most value (without going into unnecessary detailoverwhelming the user), providing youthem with fast, accurate, and easy to interpret scan results so that youthey can focus on real incidents. Additionally, we designed our solution to be useful for analysts of all skill levels.
To achieve all that we have decided to go for a best-of-all-worlds approach. We combined Intezer’s proprietary unique scan insights with the best-of-breed existing solutions for URL analysis (urlscan.io and apivoid.com), each with a distinct approach. We tied everything together in a clean interface that makes our results easy to understand.
Some URL analysis examples
One very common and familiar scenario is receiving email that contains a link to a login page of some online service. In the example below we can see an analysis of a link that appeared in an email that was supposedly sent from Facebook:
After analysis we can clearly see it is actually a malicious phishing site masquerading as a Facebook login page, most likely in an attempt to harvest the login credentials from the user.
Another common scenario is dealing with download links. Downloading the file yourself and uploading the file itself for analysis is an option, but it can be a hassle and may be risky. With the new URL analysis feature you can simply paste the URL and we will analyze both the URL and any file that is downloaded.
In the example below, we can see an analysis for a download link to a PDF file.
We can see the URL is malicious, specifically a malware drop site. Viewing the analysis of the downloaded file it becomes clear that it is a PDF dropper for the BazarLoader malware.
Try it out
Got a funny looking URL you are not sure about? Try scanning it with Intezer Analyze!
Please note the feature is still in early beta, so you may experience a few kinks and missing features. We are constantly working on improving it and fixing any issues that pop up – whether you spot an issue we should address or you just love it, we’d love to hear your feedback..