BashiruDamoah/OSINT-Threat-Intelligence-Analysis-of-Suspicious-Cyber-Infrastructure-Using-VirusTotal

# OSINT-Threat-Intelligence-Analysis-of-Suspicious-Cyber-Infrastructure-Using-VirusTotal A structured passive threat intelligence investigation analyzing suspicious cyber infrastructure using Open-Source Intelligence (OSINT) techniques. The study leverages VirusTotal to examine domain reputation, DNS records, SSL certificate history, subdomain enumeration, and infrastructure relationship mapping. # Practical Threat Intelligence Analysis of Suspicious Cyber Infrastructure Using OSINT and VirusTotal A structured cyber threat intelligence investigation conducted using publicly available Open-Source Intelligence (OSINT) techniques to analyze suspicious domain infrastructure associated with phishing and malware campaigns. **Author:** Damoah Bashiru ## Project Overview This project presents a passive threat intelligence investigation of a suspicious domain suspected of being part of phishing or malware-related cyber infrastructure. The analysis was conducted entirely using free, publicly available OSINT platforms — no active scanning or unauthorized access was performed at any stage. The investigation followed a six-step structured workflow: 1. Domain identification as the seed indicator 2. Reputation analysis using VirusTotal detection engines 3. DNS records and hosting infrastructure examination 4. SSL certificate history analysis 5. Subdomain enumeration 6. Infrastructure relationship graph visualization The findings confirmed that the domain posed a **HIGH RISK** threat level, with characteristics consistent with phishing campaigns, credential harvesting, and malware distribution operations. ## Tools and Platforms Used | Tool | Purpose | Link | |---|---|---| | VirusTotal | Domain reputation, DNS records, SSL certs, subdomains, relationship graphs | https://www.virustotal.com | | WHOIS Lookup | Domain registration history and registrant data | https://lookup.icann.org | | MXToolbox | DNS and mail server investigation | https://mxtoolbox.com | | Shodan | IP address and hosting infrastructure lookup | https://www.shodan.io | | AbuseIPDB | IP reputation and abuse reporting | https://www.abuseipdb.com | | URLScan.io | Passive website scanning and screenshot capture | https://urlscan.io | | AlienVault OTX | Open threat intelligence feeds and indicators | https://otx.alienvault.com | | Maltego CE | Relationship mapping and entity graph analysis | https://www.maltego.com/get-started | All tools listed above are free to use (registration may be required for some features). ## Repository Structure ├── report/ │ └── PRACTICAL_THREAT_INTELLIGENCE_ANALYSIS.pdf ├── screenshots/ │ ├── virustotal_detection_results.png │ ├── dns_records_hosting.png │ ├── whois_lookup.png │ ├── ssl_certificate_history.png │ ├── subdomain_enumeration.png │ ├── relationship_graph_1.png │ └── relationship_graph_2.png └── README.md ## Step-by-Step Investigation Workflow ### Step 1 — Identify the Seed Indicator The investigation begins with a suspicious domain name. This is called the **seed indicator** — the starting point from which all other intelligence is gathered. Where to find suspicious domains: - Phishing report feeds: https://openphish.com - URLhaus malware database: https://urlhaus.abuse.ch - PhishTank verified phishing list: https://www.phishtank.com - Any domain reported internally by users or email filters ### Step 2 — Domain Reputation Analysis on VirusTotal **Platform:** https://www.virustotal.com **Steps:** 1. Go to https://www.virustotal.com 2. Click the **Search** bar at the top 3. Type or paste the suspicious domain name (e.g. `suspicious-domain.com`) 4. Press Enter 5. Click the **Detection** tab to see how many security vendors have flagged the domain 6. Note which vendors flagged it and with what label (Phishing, Malicious, Malware, etc.) 7. Check the **Community Score** on the left panel **What to look for:** - Number of vendors flagging the domain (higher = more suspicious) - Detection categories (Phishing, Malware, Spam) - Creation date and last analysis date - Community comments from security researchers **Screenshot the detection results page for your report.** ### Step 3 — DNS and Hosting Infrastructure Analysis **Platform:** https://www.virustotal.com (Details tab) and https://mxtoolbox.com **Steps on VirusTotal:** 1. On the domain report page, click the **Details** tab 2. Scroll to the **Last DNS Records** section 3. Record the following: - **A record** — the IP address the domain resolves to - **MX records** — mail exchange servers - **NS records** — name servers (reveal the hosting provider) - **SOA record** — zone authority information 4. Note the **Registrar** and **Creation Date** shown at the top of the Details tab **Steps on MXToolbox:** 1. Go to https://mxtoolbox.com/SuperTool.aspx 2. Enter the domain name and click **MX Lookup** to check mail servers 3. Use **DNS Lookup** to cross-verify A and NS records 4. Use **Blacklist Check** to see if the IP is on any spam or abuse blacklists **What to look for:** - Whether the domain resolves to a shared or dedicated IP address - Whether the mail server matches the domain or points to an unrelated service - Whether the IP address has been previously reported as malicious ### Step 4 — WHOIS Registration Lookup **Platform:** https://lookup.icann.org or https://www.virustotal.com (Details tab → RDAP section) **Steps on ICANN WHOIS:** 1. Go to https://lookup.icann.org 2. Enter the suspicious domain name and click **Lookup** 3. Review the registration data: - **Registrant name and organization** (may be redacted for privacy) - **Creation date** — when the domain was first registered - **Expiry date** — how long it is registered for - **Registrar** — the company through which the domain was registered - **Name servers** — confirm these match what VirusTotal showed **Steps on VirusTotal:** 1. On the domain Details tab, scroll to the **Registration Data (RDAP)** section 2. Review historical WHOIS records to see if the registrant or registrar has changed over time **What to look for:** - Recently registered domains (days or weeks old) paired with malicious detections are high risk - Privacy-redacted registrant details are common in malicious infrastructure - Domains registered in bulk through the same registrar may indicate a campaign ### Step 5 — SSL Certificate History Analysis **Platform:** https://www.virustotal.com (Details tab) and https://crt.sh **Steps on VirusTotal:** 1. On the domain Details tab, scroll to the **Last HTTPS Certificate** section 2. Note the following: - **Certificate issuer** (e.g. Let's Encrypt, DigiCert) - **Subject** — what domains the certificate covers - **Validity period** — Not Before and Not After dates - **Fingerprint** — unique identifier of the certificate **Steps on crt.sh (certificate transparency log search):** 1. Go to https://crt.sh 2. Enter the domain name in the search box and press Enter 3. Review all historical certificates issued for the domain and its subdomains 4. Look at the **Common Name** and **SAN (Subject Alternative Names)** fields for related domains **What to look for:** - Short-lived certificates (expired quickly) suggest temporary or rotating infrastructure - Let's Encrypt certificates are free and commonly used in phishing domains - Certificates covering multiple suspicious subdomains indicate shared infrastructure - Reused certificate fingerprints across different domains reveal hosting relationships ### Step 6 — Subdomain Enumeration **Platform:** https://www.virustotal.com (Relations tab) and https://urlscan.io **Steps on VirusTotal:** 1. On the domain report page, click the **Relations** tab 2. Scroll to the **Subdomains** section 3. List all subdomains identified (e.g. `login.domain.com`, `admin.domain.com`, `mail.domain.com`) 4. Click on individual subdomains to check their own detection results **Steps on URLScan.io:** 1. Go to https://urlscan.io 2. Enter the domain in the search box 3. Review scan results for any screenshots, linked subdomains, and outgoing requests 4. Check the **DOM** and **Links** tabs for additional related infrastructure **What to look for:** - Subdomains named `login`, `secure`, `account`, `verify`, `portal` are common in phishing - Subdomains pointing to different IP addresses may indicate distributed hosting - A large number of subdomains for a recently registered domain is suspicious ### Step 7 — Infrastructure Relationship Graph **Platform:** https://www.virustotal.com (Graph view) **Steps:** 1. On the domain report page, click the **Relations** tab 2. Scroll to the **Graph Summary** section at the bottom 3. Click **"Open in VirusTotal Graph"** (requires a free VirusTotal account) 4. The graph will display the domain as a central node connected to: - IP addresses (Resolutions) - SSL certificates (Historical SSL Certificates) - Subdomains - Related files or URLs 5. Click on any node in the graph to expand its own relationships 6. Look for shared IP addresses or certificates that link to other domains 1. Download Maltego CE from https://www.maltego.com/get-started (free registration required) 2. Create a new graph and add a Domain entity 3. Enter the suspicious domain name 4. Right-click the entity and run transforms such as: - **To DNS Name** — discovers subdomains - **To IP Address** — resolves hosting IPs - **To Website** — links to associated web pages 5. Expand nodes to reveal the full infrastructure map **What to look for:** - Multiple domains resolving to the same IP address (infrastructure reuse) - Shared SSL certificates across different domains - Connections to known malicious IPs or previously flagged domains - A large number of linked entities from a single domain suggests a campaign ### Step 8 — Cross-Reference with Threat Intelligence Feeds **Platforms:** | Platform | Link | What to Check | |---|---|---| | AlienVault OTX | https://otx.alienvault.com | Search the domain for threat pulses and IOC reports | | AbuseIPDB | https://www.abuseipdb.com | Check if the resolved IP has been reported for abuse | | Shodan | https://www.shodan.io | Look up the IP for open ports and hosting details | | URLhaus | https://urlhaus.abuse.ch | Check if the domain has been used to distribute malware | | Google Safe Browsing | https://transparencyreport.google.com/safe-browsing/search | Check if Google has flagged the domain | **Steps for AlienVault OTX:** 1. Go to https://otx.alienvault.com and create a free account 2. Use the search bar to enter the domain name 3. Review any **Threat Pulses** associated with the domain 4. Download indicators of compromise (IOCs) if available ## Summary of Findings | Investigation Step | Finding | |---|---| | Domain reputation | Flagged by multiple independent security vendors | | DNS records | Resolves to a specific public IP address | | WHOIS data | Registered through a domain privacy service; creation date recent | | SSL certificate | Issued by Let's Encrypt; covers multiple subdomains | | Subdomains | Several operational subdomains identified | | Relationship graph | Domain connected to multiple IPs and certificates confirming linked infrastructure | ## Risk Assessment Based on the collected intelligence evidence, the investigated infrastructure was assessed as: **Threat Level: HIGH RISK** Characteristics consistent with: - Phishing page hosting - Credential harvesting operations - Malware distribution infrastructure - Coordinated multi-domain campaign activity ## Security Recommendations Organizations should implement the following defensive measures against similar threats: - Deploy advanced email filtering to block domains flagged by threat intelligence feeds - Subscribe to domain reputation monitoring services such as https://otx.alienvault.com - Enforce multi-factor authentication on all user-facing systems - Conduct regular employee cybersecurity awareness training - Monitor internal DNS query logs for connections to suspicious infrastructure - Maintain and update blocklists of malicious domains from feeds such as https://urlhaus.abuse.ch and https://openphish.com - Integrate VirusTotal API into security workflows for automated domain reputation checks: https://developers.virustotal.com ## Useful OSINT Resources | Resource | Link | |---|---| | VirusTotal | https://www.virustotal.com | | ICANN WHOIS Lookup | https://lookup.icann.org | | MXToolbox | https://mxtoolbox.com | | crt.sh Certificate Search | https://crt.sh | | URLScan.io | https://urlscan.io | | Shodan | https://www.shodan.io | | AbuseIPDB | https://www.abuseipdb.com | | AlienVault OTX | https://otx.alienvault.com | | URLhaus | https://urlhaus.abuse.ch | | OpenPhish | https://openphish.com | | PhishTank | https://www.phishtank.com | | Google Safe Browsing | https://transparencyreport.google.com/safe-browsing/search | | Maltego Community Edition | https://www.maltego.com/get-started | | VirusTotal API Docs | https://developers.virustotal.com |