How to Use Maltego to Conduct Threat Research

July 2017 | by Roberto Sanchez | Threat Intelligence

Maltego is an interactive, visual data mining and link analysis tool used to conduct online investigations through a library of plugins called “transforms.” In this guide, we’ll show you how to use Maltego to do threat research within your own organization.

Maltego allows security professionals to retrieve information on target(s) of interest – infrastructure, people, or companies – and explore simple and complex relationships using graph visualizations. It is pre-packaged in Kali Linux but if you want to download Maltego, it is distributed in three different versions: XL, Classic, and CE, each downloadable at the Paterva website.

For our example, we used the free Community Edition (CE) client installed locally on a research laptop to query Paterva’s servers. We recommend prior to installing Maltego CE or using Kali Linux, you register an account located here, as it is a mandatory requirement by Paterva.

How to Use Maltego: Getting Started

Once installed and you have logged into your account, you will be presented with a screen with a list of options to run a “machine”, a script/macro that runs multiple, predefined searches to conduct tasks such as footprinting domains. Go ahead and select the cancel button as we will be manually installing our transforms, which is located to the right of the screen underneath the “Transform Hub”.

These are the community transforms that we will be using: CaseFile Entities, Paterva CTAS, Shodan*, VirusTotal Public API*, ThreatMiner, ThreatCrowd, and PassiveTotal*. The asterisk denotes the transforms that require an API key, which can be obtained at the respective vendor’s site.

How To Use Maltego: Start Page

Figure 1: Maltego start page displaying the list of machines and the transform hub

How to Use Maltego: VirusTotal Transform

Figure 2: Transform seed settings for VirusTotal where users can input their public API

Next, we create a new graph and select an entity as our target:

  • Create a new graph – Click on the document symbol with a green plus sign in the middle, located at the top left of the screen. Alternatively, use keyboard shortcuts: CTRL+T (Windows) or CMD+T (Mac).
  • Save the graph – Click the “save as” button, the third icon to the right of the “create a new graph” icon, name your graph, and save it.
  • Select entity – Move the mouse cursor to the left and hover over the “Entity Palette” located on the left side of the screen, underneath the “Infrastructure” category select the “Domain” entity, left click, hold, drag, and drop the entity to the center of your Maltego graph.
  • Rename the entity – By default, the entity’s name is paterva[.]com; therefore, double-click on the entity and change the target’s name by manually typing it in or copy and paste it into the text box.
How to Use Maltego: Domain Entity

Figure 3: Creating a new Maltego graph with a domain entity

For our research, we use the domain gap-facebook[.]com as our “seed”, obtained from a blog post from security vendor FireEye; however, the launching point could have easily been from an indicator of compromise (IOC) derived from perimeter defense systems, host or network logs, SIEMs, malware analysis, honeypots, or a myriad of other security technologies.

In the FireEye post, they attribute the domain as command and control (C2) infrastructure associated with a Vietnam-based cyber espionage group called APT32 alias OceanLotus. Leveraging this high-fidelity indicator, we commence our research to build our understanding of the adversary’s infrastructure to potentially obtain more IOCs for monitoring/blocking consideration or to feed our threat hunting operations.

How to Use Maltego to Investigate Threat Infrastructure

To view the installed transforms for pivoting on the seed data, right click on the entity. Once clicked, a pop-up window appears with a listing of installed transforms to execute individual queries or “All Transforms” at once. Some available options for querying on domains are:

  • Whois Information
  • Historical DNS Records
  • Associated Malware File Hashes
  • Detected suspicious or malicious URLs
  • SSL Certificate Information
How to Use Maltego: Domain Entity

Figure 4: Creating a domain entity and list of available transforms

We start by running a passive DNS (pDNS) search on gap-facebook[.]com using the VirusTotal (VT) transform “Domain Resolutions” to identify historical IP address resolutions. This returns three IP addresses. Note the same three IP addresses are returned when using PassiveTotal’s passive DNS and unique resolutions and ThreatCrowd’s enrich domain transforms.

How to Use Maltego: Passive DNS results

Figure 5: Passive DNS results for gap-facebook[.]com in a hierarchical layout

Next, we run the VT transform “Detected URLs” that returns five URLs detected by either a vendor’s URL scanner or infosec community blocklist. Visual inspection of the URLs shows the threat actors created the websites with popular brand names – Adobe and Microsoft – in the URL path, a common tactic employed during phishing and malware campaigns.

How to Use Maltego: Circular Layout

Figure 6: Sites hosted on the same webserver of gap-facebook[.]com in a circular layout

The last step involves searching for malicious files that embed URL pattern strings with our seed. Again, our VT transform “String References” provides us the best results with seven unique SHA256 hash values of various malware samples.

How to Use Maltego: Block Layout

Figure 7: Malicious files that embed URL pattern strings with the domain provided in a block layout

Conclusion

In this blog, we showed you how to use Maltego to investigate a single link from the domain gap-facebook[.]com as a method for introducing its powerful open source intelligence and data visualization capabilities. Without further investigation, we rapidly discovered a fresh set of suspicious and malicious IOCs – not previously disclosed in the FireEye blog.

This could be used by network defenders to proactively search through networks to detect and isolate possible traffic between their enterprise systems and malicious infrastructure that could have evaded existing defensive solutions.

To download this Maltego graph and associated indicators of compromise (IOCs), please visit our GroupSense GitHub page located here.

Get this "How to Use Maltego" Guide as a PDF!
Tags: How To Use Maltego, FireEye, Cyber Espionage, Maltego, GroupSense, C2, Malware, APT, Latest Blog Posts, Threat Research, Threat Intelligence, OSINT, Kali Linux, How To, Download

References

1. Paterva – https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php

2. Kali Linux – https://tools.kali.org/tools-listing

3. Paterva – https://www.paterva.com/web7/community/community.php

4. FireEye – https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

5. ThreatMiner – https://www.threatminer.org/reports.php?q=oceanlotus

6. VirusTotal – https://www.virustotal.com/en/domain/gap-facebook.com/information/

7. GroupSense GitHub – https://github.com/GroupSense

Background Sources

1. YouTube – https://www.youtube.com/results?search_query=maltego

2. Dean Pompilio (Using Open Source Intelligence – Module 11) – https://www.cybrary.it/video/using-open-source-intelligence-part-2/

3. Hybrid-Analysis – https://www.hybrid-analysis.com/sample/1210384a9d0ca2e089efab14f2e9f6d55a3824031c1e589b96f854fb96411288?environmentId=100

4. Hybrid-Analysis – https://www.hybrid-analysis.com/sample/5b39a9bc0d05caafcd8ff045aabcc12a8d9d1ade3f32d0a8f0f26dfc733369e5?environmentId=100

5. Hybrid-Analysis – https://www.hybrid-analysis.com/sample/9da692544fe6b6bca70e7cf47ce5708a93fcb6adc5159344b849fd5ed987d2b2?environmentId=100

6. Hybrid-Analysis – https://www.hybrid-analysis.com/sample/6bd95c274fe7750a46cc6ea1f3909c961a77fff38a92223c096887863f40490d?environmentId=100

7. Hybrid-Analysis – https://www.hybrid-analysis.com/sample/3de7e2f6b949a5b4820d841633bd26eae66020c287304da78216bdf33e953d78?environmentId=100