How to Use Maltego to Conduct Threat Research
July 2017 | by Roberto Sanchez | Threat Intelligence
Maltego is an interactive, visual data mining and link analysis tool used to conduct online investigations through a library of plugins called “transforms.” In this guide, we’ll show you how to use Maltego to do threat research within your own organization.
Maltego allows security professionals to retrieve information on target(s) of interest – infrastructure, people, or companies – and explore simple and complex relationships using graph visualizations. It is pre-packaged in Kali Linux but if you want to download Maltego, it is distributed in three different versions: XL, Classic, and CE, each downloadable at the Paterva website.
For our example, we used the free Community Edition (CE) client installed locally on a research laptop to query Paterva’s servers. We recommend prior to installing Maltego CE or using Kali Linux, you register an account located here, as it is a mandatory requirement by Paterva.
How to Use Maltego: Getting Started
Once installed and you have logged into your account, you will be presented with a screen with a list of options to run a “machine”, a script/macro that runs multiple, predefined searches to conduct tasks such as footprinting domains. Go ahead and select the cancel button as we will be manually installing our transforms, which is located to the right of the screen underneath the “Transform Hub”.
These are the community transforms that we will be using: CaseFile Entities, Paterva CTAS, Shodan*, VirusTotal Public API*, ThreatMiner, ThreatCrowd, and PassiveTotal*. The asterisk denotes the transforms that require an API key, which can be obtained at the respective vendor’s site.
Next, we create a new graph and select an entity as our target:
- Create a new graph – Click on the document symbol with a green plus sign in the middle, located at the top left of the screen. Alternatively, use keyboard shortcuts: CTRL+T (Windows) or CMD+T (Mac).
- Save the graph – Click the “save as” button, the third icon to the right of the “create a new graph” icon, name your graph, and save it.
- Select entity – Move the mouse cursor to the left and hover over the “Entity Palette” located on the left side of the screen, underneath the “Infrastructure” category select the “Domain” entity, left click, hold, drag, and drop the entity to the center of your Maltego graph.
- Rename the entity – By default, the entity’s name is paterva[.]com; therefore, double-click on the entity and change the target’s name by manually typing it in or copy and paste it into the text box.
For our research, we use the domain gap-facebook[.]com as our “seed”, obtained from a blog post from security vendor FireEye; however, the launching point could have easily been from an indicator of compromise (IOC) derived from perimeter defense systems, host or network logs, SIEMs, malware analysis, honeypots, or a myriad of other security technologies.
In the FireEye post, they attribute the domain as command and control (C2) infrastructure associated with a Vietnam-based cyber espionage group called APT32 alias OceanLotus. Leveraging this high-fidelity indicator, we commence our research to build our understanding of the adversary’s infrastructure to potentially obtain more IOCs for monitoring/blocking consideration or to feed our threat hunting operations.
How to Use Maltego to Investigate Threat Infrastructure
To view the installed transforms for pivoting on the seed data, right click on the entity. Once clicked, a pop-up window appears with a listing of installed transforms to execute individual queries or “All Transforms” at once. Some available options for querying on domains are:
- Whois Information
- Historical DNS Records
- Associated Malware File Hashes
- Detected suspicious or malicious URLs
- SSL Certificate Information
We start by running a passive DNS (pDNS) search on gap-facebook[.]com using the VirusTotal (VT) transform “Domain Resolutions” to identify historical IP address resolutions. This returns three IP addresses. Note the same three IP addresses are returned when using PassiveTotal’s passive DNS and unique resolutions and ThreatCrowd’s enrich domain transforms.Next, we run the VT transform “Detected URLs” that returns five URLs detected by either a vendor’s URL scanner or infosec community blocklist. Visual inspection of the URLs shows the threat actors created the websites with popular brand names – Adobe and Microsoft – in the URL path, a common tactic employed during phishing and malware campaigns. The last step involves searching for malicious files that embed URL pattern strings with our seed. Again, our VT transform “String References” provides us the best results with seven unique SHA256 hash values of various malware samples.
In this blog, we showed you how to use Maltego to investigate a single link from the domain gap-facebook[.]com as a method for introducing its powerful open source intelligence and data visualization capabilities. Without further investigation, we rapidly discovered a fresh set of suspicious and malicious IOCs – not previously disclosed in the FireEye blog.
This could be used by network defenders to proactively search through networks to detect and isolate possible traffic between their enterprise systems and malicious infrastructure that could have evaded existing defensive solutions.
To download this Maltego graph and associated indicators of compromise (IOCs), please visit our GroupSense GitHub page located here.
2. Kali Linux – https://tools.kali.org/tools-listing
3. Paterva – https://www.paterva.com/web7/community/community.php
5. ThreatMiner – https://www.threatminer.org/reports.php?q=oceanlotus
7. GroupSense GitHub – https://github.com/GroupSense
1. YouTube – https://www.youtube.com/results?search_query=maltego
2. Dean Pompilio (Using Open Source Intelligence – Module 11) – https://www.cybrary.it/video/using-open-source-intelligence-part-2/