One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks
Jan. 21, 2025, 6:48 p.m.
Description
The report discusses an automated approach using graph neural networks to proactively detect malicious infrastructure employed by threat actors in cyber attacks based on known indicators. It examines the relationships between different types of indicators, such as co-hosted domains, malware delivery URLs, and SSL certificates, which can reveal connections between seemingly unrelated infrastructure. The approach involves training a graph neural network classifier on these relationships to identify new malicious domains and infrastructure. Three case studies are presented, highlighting the effectiveness of this approach in uncovering large-scale phishing campaigns targeting postal services, financial institutions, and web skimmer operations.
Tags
Date
- Created: Jan. 21, 2025, 6:17 p.m.
- Published: Jan. 21, 2025, 6:17 p.m.
- Modified: Jan. 21, 2025, 6:48 p.m.
Indicators
- 47.251.0.168
- www.deutsche-chartered-bank.cloudswt.com
- www.capitalxpresslogistic.live.firstnationalbank.live
- webmail.portal.guardiantrustbank.us
- usps.postscy.top
- truistcommercialbank.live.rhinoswiftdelivery.live
- hgsgbank.com.nexcreditunion.com
- inncbank.com.nexcreditunion.com
- deutsche-chartered-bank.cloudswt.com
- capitalxpresslogistic.live.firstnationalbank.live
- ftp.pristineglobalinvestmentbank.com
- apple.com-ticket.info
- apps.guardiantrustbanks.us
- woocomnnerce.com
- uspsyeay.top
- uspstpar.top
- uspsygfk.top
- uspsfugu.top
- uspsgrjp.top
- uspsntfj.top
- uspsepsu.top
- usps-supsrtys.top
- uspsftpr.top
- usps-supsrrne.top
- usps-supsrmuo.top
- usps-supsrrno.top
- usps-supsrfvw.top
- us-usos-qwtaz.top
- us-usos-qwtad.top
- us-usos-qwtaa.top
- staticlitycis.com
- standardcharteredbank.live
- pristineglobalinvestmentbank.com
- oceansharebank.com
- metropoliscapitalbank.us
- koreapostxt.shop
- koreapostxb.shop
- koreapostxn.shop
- koreapostst.shop
- koreapostpw.shop
- koreapostpu.shop
- koreapostpt.shop
- koreapostpo.shop
- koreapostpg.shop
- koreapostpf.shop
- koreapostpe.shop
- koreapostpc.shop
- koreapostnu.shop
- koreapostnp.shop
- koreapostni.shop
- koreapostmz.shop
- koreapostmx.shop
- koreapostmv.shop
- koreapostmk.shop
- koreapostma.shop
- koreapostge.shop
- jsmin.co
- jquerylib-min.net
- inposdomak.top
- inposdomag.top
- google-site-verification.com
- gcorpfinbank.info
- eurobank-stockscom.com
- eurobank-stocks.us
- cssjs.co
- correospanamaagobs-css.top
- correospanamaagobs-csx.top
- correospanamaagobs-csr.top
- correospanamaagobs-cse.top
- correospanamaagobs-csd.top
- correospanamaagobs-csc.top
- correoseswe.top
- correosespe.top
- correosesllr.top
- correoparaguayo-mypostvsz.top
- correoparaguayo-mypostvsy.top
- correoparaguayo-mypostvsx.top
- correoparaguayo-mypostvsu.top
- correoparaguayo-mypostvst.top
- correoparaguayo-mypostvsp.top
- correoparaguayo-mypostvsi.top
- correoparaguayo-mypostvsl.top
- correoparaguayo-mypostvsh.top
- correoparaguayo-mypostvsg.top
- correoparaguayo-mypostvsf.top
- correoparaguayo-mypostvse.top
- correoparaguayo-mypostvsd.top
- correoparaguayo-mypostvsa.top
- correoparaguayo-myposts.top
- correoparaguayo-myposth.top
- correoparaguayo-mypostf.top
- correoparaguayo-myposta.top
- chatwareopenalgroup.net
- byvlsa.com
- theipscanner.com
- myscannappo.online
- myscannappo.info
- myscannappo.com
- myipscanner.com
- ipscannershop.com
- ipscanneronline.com
- advanced-ip-sccanner.com
- establish-coinbase.com
Attack Patterns
- Aranuk/Carbanak
- Squeamish Libra
- T1557.002
- T1584.003
- T1584.004
- T1608.001
- T1583.004
- T1490
- T1583.003
- T1189
- T1071.001
- T1102
Additional Informations
- Dominican Republic
- British Indian Ocean Territory
- Kenya
- Ireland
- Greece
- South Africa
- Singapore
- Korea, Democratic People's Republic of
- India
- Australia
- Korea, Republic of
- Switzerland
- Spain
- Italy
- Thailand
- Canada
- Germany
- Mexico
- Pakistan
- United Kingdom of Great Britain and Northern Ireland
- Israel
- United States of America