Advanced Hunting 4 ZIP/MOV
If you heard a noise on social media from May (2023), it’s probably the same noise that most of us heard: the announcement of specific domains by Google.
Google Registry announced eight new top-level domains (TLDs) that day: .esq, .foo, .dad, .phd, .prof, .zip, .mov, and .nexus. But the ZIP and MOV domains mostly made a noise because of their similarity to the extremely popular and long-lived .zip and .mov file extensions.
What it’s all about?
Domain names and filename extensions are not the same things, after all… Still, both can play an essential role in modern cyberattacks; correctly identifying them has been part of important security advice for a long time. Cybercriminals love ZIP files, and in recent years we have seen massive use as malicious email attachments. Typically, the zip file is first in a sequence of files known as an Attack Chain. In a short chain, the zip file is probably malicious. A longer chain can contain links to malicious content.
More information is posted in the post – Dangers of Google’s .zip TLDs
Can you quickly know which URLs below are legit and which is a malicious phish that drops evil.exe?
https://github.com∕kubernetes∕kubernetes∕archive∕refs∕tags∕@v1271.zip
https://github.com/kubernetes/kubernetes/archive/refs/tags/v1.27.1.zip
Source: https://cv.jeyrey.net/img?equivocal-urls
In a nutshell. There are a few issues with the .zip and .mov TLDs. The first is Plain old phishing, where the URL owner attempts explicitly to fool you into clicking on it. The main worry with the .zip and .mov TLDs is that some browsers, email clients, social media sites, and messaging platforms will automatically convert file names with those extensions to URLs. For example, zip snip: Social engineering attack using a .zip domain.
While Google TLDs were announced on the first week of May, those domains are already used in phishing attacks. The recent post by mr.d0x raised a way to utilize the new domain in a phishing trick called “File Archiver In The Browser.”
What can we do?
It’s highly recommended to block .zip and .mov domains as they are already being used for phishing and will likely only continue to be increasingly used in phishing attacks. Like many other scenarios, we need to create detection rules to identify who’s trying to access, if it was successful, etc. The following queries were part of an investigation.
MIcrosoft Security E5 provides many ways to identify, block and handle potential security issues with those domains. The detection and mitigation can be the following actions:
- Block ZIP/MOV domains with Defender for Office.
- Mark as a Phish ZIP/MOV domain with Defender for Office.
- Block specific ZIP/MOV domains with Exchange Online Protection.
- Delete ZIP/MOV domains with Defender for Office.
- Block ZIP/MOV domains with Defender for Endpoint.
- Use Advanced Hunting with Custom Rules to detect potential ZIP/MOV domains.
- Use Remediate and Actions as part of Custom Rules.
- Isolate devices that access ZIP/MOV domains.
Advanced Hunting Queries
Here are some queries that can be used in Advanced Hunting.
Search for users who clicked on ZIP/MOV domains
UrlClickEvents
| extend domain = tostring(parse_url(Url).Host)
| where domain endswith “.zip” or domain endswith “.mov”
| project Timestamp, NetworkMessageId, Clicked_Url = Url
| join EmailEvents on NetworkMessageId
| project Timestamp, Clicked_Url, RecipientEmailAddress, SenderMailFromAddress, SenderFromAddress, Subject, AttachmentCount, UrlCount
Search for domain extensions that end with ZIP/MOV domains.
DeviceNetworkEvents
| extend domain = tostring(extract(“https?://([^:/]*)(:?)(/|$)”, 1, RemoteUrl))
| where domain endswith “.zip” or domain endswith “.mov”
DeviceNetworkEvents
| where Timestamp >= ago(1h)
| extend domain = tostring(extract(“https?://([^:/]*)(:?)(/|$)”,1,RemoteUrl))
| where domain endswith “.zip” or domain endswith “.mov”
| where ActionType != @”ConnectionSuccess”
Those queries can be customized for each environment to accurate the results and to minimize the FP.
The queries available on Hunting-ZIP-MOV.kql
More interesting queries are in the following repo; network-zipandmov-access.
To the conversation on Twitter
Zip domains are a bad idea nobody asked for.
A short query to search for domain extensions that end with zip and mov domains.
let TLDs=dynamic([".mov",".zip"]);
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has_any (TLDs)
| project Timestamp,… pic.twitter.com/sEmzAi7FvD— Elli Shlomo (IR) (@ellishlomo) June 2, 2023
