NDR POW (Punkbust Of the Week): Catching Homograph Attacks (PHISH PHINDER!)

With the Holiday season comes the myriad of phishing emails that will plague our inboxes for the next 3 weeks. In the trigger below, I am trying to detect a Homograph attack where by a user presents a URI via hyperlink that looks legit but is actually something quite different.

I got the idea for this when a customer sent me a Yara rule and I saw the text there. Using the EvilURL python script from UndeadSec (Uses Python3, if you are like me and clinging with all your being to 2.7, this could surprise you)

In the link below, notices the
еxаmрlе.com

If you look closely at the link, you can see that SOME of the text looks a bit off. This is designed to fool you. The truth is, the actual URI will render as follows:
image

That ‘xn–’ is something we can attach to.

In the trigger below, I am checking the following tuples looking for our ‘xn–’.

  • DNS.qname
  • SSL.host
  • HTTP.host

When I was a kid, my mom would tell me “Don’t even THINK about {insert 'middle-child”, functional Asperger’s/OCD behavior here}…".

At ExtraHop, we replace that with “Don’t even NSLOOKUP that malicious site!”

While the trigger checks for HTTP and SSL, typically you will see it in DNS unless they are using DoH, in which case they will get caught by the HTTP_REQUEST and SSL_OPEN events.

//Trigger looking for various hacking tools and undesirable sites
//
// Early exits
//

if(event == "DNS_REQUEST" || event == "HTTP_REQUEST" || event == "SSL_OPEN" ) {
var cip = Flow.client.ipaddr;
var sip = Flow.server.ipaddr;

if(event == 'DNS_REQUEST') {
if(!DNS.qname) {
return; 
}
}
if ( event == 'SSL_OPEN' ) {
if ( ! SSL.host ) {
    //return;
}
} else if ( event == 'HTTP_REQUEST' ) {
if ( ! HTTP.host ) {
    return;
}
}

let now = Math.round(getTimestamp()); 
let proto = '';
let host = '';

let hacking_tool_domains = cache('hacking_tool_domains', () => ({
'pastebin.com'                  : "All Around Malicious Content",
'teamviewer.com'                : 'TeamViewer Observed!!!',
'\.exe$'                         : "Executable Download",
  **'^xn--(.*?)' : 'Possible Homoglyph Attack/Host'**
}));

switch(event) {
case ('SSL_OPEN'):
    proto = 'ssl';
    if(!SSL.host) {
        if(SSL.certificate==null) {host = "None"} else {
        host = SSL.certificate.subject; }
    } else {
    host = SSL.host;
    }
    break;

case ('HTTP_REQUEST'):
    proto = 'http';
    host =  HTTP.uri;
    break;

case ('DNS_REQUEST'):
    proto = 'dns';
    host = DNS.qname;
    break;
default:
    //debug("Unhandled event: " + event);
    return;
}

for ( let domain in hacking_tool_domains ) {
if ( new RegExp(domain + '$').test(host)) {
    %DO SOMETHING%
}
}

I am using the trigger (a hybrid of the SolEng Hacking Tools Detector) to generate a detection on it.

2 Likes