OSINT Investigation

Investigation of IOCs from an Open Source Intelligence publication

Scenario

Your CEO has forwarded you an article from Kaspersky. https://securelist.com/apt-phantomlance/96772/#infrastructure.

The CEO wanted you to review the publication and see if your organization has anything to worry about, and if your organization has been affected by this attack.

Goal

Read the article and then investigate the Command and Control domains and IP address and see what you can find out.

Important Note: During your investigation you have informed your team not to directly visit the website in order to prevent any potential malware from entering the organization.

Objectives

Objective 1: What are the aspects of the attacks?

Objective 2: Is the attack still active?

Objective 3: Does your organization need to worry about this attack?

Objective 4: have you seen any to the IOCs?

In this exercise I will highlight the differences in RiskIQ PassiveTotal account types and integrations.
Free Community Account
Paid Enterprise Account
PassiveTotal Enterprise with the CrowdStrike integration enabled.