BazarCall IoC Expansion—DIY Domain Research Suite (DRS) Guide
We took a deep dive into published indicators of compromise (IoCs) for a recently upgraded BazarCall campaign, leading us to more than 7,000 possible vehicles for similar callback phishing attacks.
We’ll take you through the IoC expansion process using various domain search and monitoring tools within the Domain Research Suite (DRS), so you can also perform a similar threat expansion on your own. The IoCs used as examples in this post were taken from this report.
Step #1: Find Artifacts Connected to the IoCs through WHOIS Ownership
Learn everything you can about publicly available IoCs and find WHOIS connections by following these steps.
1. Go to WHOIS Search and type the domain tagged as an IoC into the search field.
2. Look for unredacted WHOIS details and click the orange arrow beside the record.
3. Select Build current Reverse WHOIS report to get a list of domains that contain the registrant details in their current WHOIS records.
4. Selecting Build historic Reverse WHOIS report returns a list of domains registered using the registrant details, including those that have expired or changed owners.
Step #2: Uncover Artifacts Connected to the IoCs through DNS Resolutions
This time, we will find connected properties that share the IoCs’ IP addresses. Do that by following the steps below.
1. Go to Reverse DNS Search. The default tab is Obtain connected domains.
2. Type the IoC into the search field and click Search. You will see a list of domains that share the IoC’s IP host.
3. Look for further similarities between the IoC and its IP-connected artifacts by clicking the orange arrow beside the domain and clicking Build WHOIS report.
- This is the screenshot of the IoC nhelp[.]live.
- These are the screenshots of its artifacts, chelp[.]live and nthelp[.]live.
Aside from containing the same text strings and resolving to the same IP address, the three domains hosted exactly the same web content.
Step #3: Look for Properties Bearing Similar Threat Patterns
Retrieve a list of cyber resources that match the malicious campaign’s attack and weapon patterns. For the recent BazarCall IoCs, we detected the use of domains containing support-related text strings, such as “help,” “support,” “helpdesk,” and “remote.” Follow these steps.
1. Go to Domains & Subdomains Discovery.
2. Type the recurring text string found among the IoCs and set the term’s position. For the BazarCall pattern, the IoCs began with recurring strings, so we set this parameter to Starts with.
3. Make the results time-bound by specifying the Added since date and clicking Search.
4. Download the results by clicking the Export CSV button.
5. Repeat steps 2–4 for all the text strings. In total, we found 7,392 domains added from 1 September to 24 October 2022 that started with “help,” “support,” “helpdesk,” and “remote.”
6. [BONUS PRO TIP]: You may come across other threats like the one you’re investigating by looking into the string-connected artifacts. Click the orange arrow beside a domain and select Build WHOIS report.
The content hosted on help-twitter-notice[.]net appeared to be Twitter’s login page. However, the domain cannot be attributed to Twitter.
Step #4: Continuously Monitor the DNS for New Artifacts Connected to the IoCs
You can track newly added potential artifacts connected to the IoCs through their WHOIS registration details by following these steps.
1. Go to Registrant Monitor.
2. Type the registrant email address or organization used to add the IoCs to your monitoring and click Add to monitoring. The registrant email address we’re monitoring was associated to one of the BazarCall IoCs.
3. Click View changes to see the domains that were added, dropped, or updated by the registrant. Note that it takes up to 24 hours for the tool to detect any activity.
The registrant has been quite active since 20 October 2022, registering several new domains every day.
4. Click the orange arrow beside the domains to generate historical or reverse WHOIS reports and perform other lookups.
These are four ways you can use DRS tools to investigate threats and expand IoC lists.
We started by looking into the IoCs tagged in the recent BazarCall campaign and ended with thousands of possible connections, including a suspicious domain potentially targeting Twitter users seeking support from the social media platform.
Are you interested in doing a similar investigation for your brand? Access DRS if you are an existing user or sign up if you are a first-timer.