Malicious actors continue to leverage the global Coronavirus (COVID-19) pandemic to register phishing and malware domains to lure unsuspecting users into disclosing their credentials or downloading and executing malware onto their systems. Anomali and our partner ecosystem have publicly released data and information to identify, monitor, and respond to the latest threats to thwart malicious Coronavirus (COVID-19) themed activity from impacting customer’s information systems and networks. In this latest blog, we detail how to collect the new and rich data source offered by Anomali partner DomainTools and how to operationalize this data within ThreatStream, the industry-leading Threat Intelligence Platform (TIP).
On March 23, 2020, Anomali partner DomainTools released a free COVID-19 Threat List. In the list, users can find Coronavirus (COVID-19) malicious domain name permutations covering more than 60 relevant keywords such as Covid, c0vid, c0v1d, Corona, carona, and corrona. Moreover, the threat list filters out any domains below a Domain Risk Score of 70. According to DomainTools, the Domain Risk Score is a proprietary machine-learning classifier to analyze the intrinsic properties of a domain, identifying patterns consistent with malware, phishing, spam, or neutral domains.
MITRE Pre-ATT&CK Techniques: Buy domain name (T1328) | Spearphishing for Information (T1397)
MITRE Enterprise ATT&CK Techniques: Spearphishing Attachment (T1193) | Spearphishing Link (T1192)
Figure 1. Free COVID-19 Threat List - Domain Risk Assessments for Coronavirus Threats (Source: DomainTools)
How Anomali Customers Leverage the COVID-19 Threat List
The Anomali Threat Research team has curated the COVID-19 Threat List and imported the close to 65,000 suspicious and malicious domains into ThreatStream to help customers protect and defend their organizations. Anomali empowers our customers to operationalize and take action on this data in multiple ways such as:
Of note, this Threat Bulletin was announced on March 24, 2020 and provides our customers with a steady stream of new, actionable intelligence.
Figure 2. ThreatStream Observables Search page filtered on DomainTools - COVID-19 Threat List