Don't @ Me: URL Obfuscation Through Schema Abuse
A technique is being used in the distribution of multiple families of malware that obfuscates the end destination of a URL by abusing the URL schema . Mandiant tracks this adversary methodology as "URL Schema Obfuscation ”. The technique could increase the likelihood of a successful phishing attack, and could cause domain extraction errors in logging or security tooling. If a network defense tool is relying on knowing the server a URL is pointing to (e.g. checking if a domain is on a threat intel feed), it could potentially bypass it and cause gaps in visibility and coverage. Common URL parsing logic will fail when encountering this technique, resulting in the loss of visibility into threat campaigns and actor infrastructure.
Network defenders should check if URLs abusing the schema to obfuscate the destination cause any failures in logging, visibility, or security tooling.
A tweet by @ankit_anubhav was observed describing a technique being used by SMOKELOADER to obfuscate URL destinations. Mandiant’s investigation into this technique discovered multiple other formats of the obfuscation being used to distribute a multitude of malware variants.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25419483/247092_Student_activist_doxxing_AKrales_1438.jpg)
