LetsDefend- SOC105— Requested T.I. URL address

Today we will focus on a new alert occured in the security operation center.

Alert triggered in the SOC

This alert provides a few intriguing pieces of information to guide the investigation.

We have the timestamp when the alert has been triggered (1) => 05:47 PM Mar 07, 2021.

The source of the request that triggered the alert (2) => 10.15.15.12 (probably a host monitored in the local area network).

Destination adress (3) (67.199.248.10).

Destination hostname (4) bit.ly.

Requested URL (5) https[:]//bit.ly/TAPSCAN.

Those informations provided by the alert are crucial to pivot and go deeper in the analysis.

Let’s have a look on the destination adress, and use the tool “AbuseIPDB” to identify if it is a good IP or not :

AbuseIPDB result for 67.199.248.10

We can certify that this IP address has been reported several times (1,2).

This IP refers to the domain “bitly.com” (3).

From this step, it should be interesting to identify the activity of this domain.

Let’s go further, by analysing the URL with Virustotal :

bitly.com is reported as clean

But what service bitly.com offers ? We are curious, so we will use browserling to access the website securely, despite the fact that this website has been catogorized as “non malicious” by Virustotal.

Bitly allows users to shorten URL

This website is clean. It is used to shorten URLs, which could be usefull for example, for social media use, because some websites such as Twitter have limited caracters. This service allows users to have more space for redaction.

On the other hand, cybercriminals can use this service to obfuscate banned domains names.

hackers can mask the real URL of a malicious or fraudulent website. This makes it more difficult for users to detect that the link is dangerous or recognize it as a potential threat.

Files linked with the domain bitly.com

Some bad campaigns such as Emotet has used such service to obfuscate URLs as you can see on the screenshot above.

No, let’s check the requested URL that triggered the alert on VirusTotal:
https[:]//bit.ly/TAPSCAN.

Result of the analysis of https[:]//bit.ly/TAPSCAN.

We can observe that this shortened URL has been flagged as “malicious,” but it could be a false positive. We should conduct a more thorough analysis to determine whether it is indeed malicious or not.

Let’s take a look on the page :

Resultpage of https[:]//bit.ly/TAPSCAN from Browserling.

The URL that triggered the alert redirects on play.google.com (1)that is not refered as malicious on VirusTotal. Moreover, Tapscanner application has 50M+ downloads and good marks (4.7 ★).

VirusTotal analysis of subdomain play.google.com.

Now let’s link this information with endpoint security informations :

From these informations we can confirm that :

The request has been made from MarksPhone (1).

The IP adress from which the request has been made (2).

There is no suspicious process nor suspicious network action (3).

Containment hasn’t been required (4).

From all of these information, we can say that it is a false positive.

The URL requested is a false positive.

List of indicators used for the analysis.