New feature: advanced analysis of URLs in files

With the improvement of obfuscation techniques, threat detection today no longer relies solely on the analysis and recognition of malware signatures. To trap victims without the need for further development, cybercriminals are now adopting more subtle modus operandi, concealing malicious URLs within seemingly legitimate documents, for example.

To respond to this new trend, GLIMPS has teamed up with Olfeo to offer its users new functions for URL analysis and categorization. Here’s how it works.

Cybercriminals never lack ingenuity when it comes to reaching their targets. While sending e-mails with phishing links or infected attachments remains a classic method, a new trend is emerging.

Links to malicious sites are hidden in seemingly legitimate PDF or Word documents, such as sales brochures or CVs. Less vigilant users then find themselves unwittingly redirected to high-risk sites.

While visiting malicious links may appear to be a moderate risk, as long as the user does not provide any information, in reality some of them may be criminally reprehensible, such as illegal child pornography content.

Phishing sites, often associated with typosquatting techniques, where the URL is modified to appear legitimate, represent an equally serious threat. These sites perfectly mimic platforms used daily by employees, such as Microsoft 365 or Google Workspace. Invited to connect to their usual platform, cybercriminals manage to intercept authentication information even in some cases where multi-factor authentication (MFA) is enabled.

The same applies to links redirecting users to download sites impersonating software publishers. Thinking they are downloading official software, victims download a program containing malware onto their workstations.

Other, more direct attacks use links which, as soon as they are opened, trigger the automatic downloading of a file onto the victim’s workstation, without any prior redirection to a web page.

While links are a feature to which Internet users have become accustomed over time, they remain an attack vector that requires security measures to identify and block them before they are used.

A recurring problem in the management of malicious URLs is their ephemeral nature.

As Cédric GIBERT, Product Director at GLIMPS, explains: “Detecting automatically phishing links is extremely difficult to do, as attackers often create URLs for one day, the time of the phishing campaign.”

Once the campaign is over, these links become inactive, further complicating real-time monitoring.

This is where Olfeo’s expertise comes in. When GLIMPS Malware extracts links from a file, these links are then compared with Olfeo’s database, which lists a wide range of already classified URLs. GLIMPS Malware draws on a database of 25 million URLs, proven over 20 years through its Trust Centric approach to URL categorization. “All content is analyzed and categorized according to its nature, with mandatory validation by our classification team. This approach guarantees the exceptional quality of our database, with a ranking error rate close to zero, which sets us apart from other suppliers,” explains Richard Szewczyk, Sales Manager at Olfeo.

This database not only blocks malicious attempts upstream, but also offers protection against legal risks, as Richard Szewczyk points out: “What is of particular interest to our users is the presence of a theme dedicated to legal risks, developed in 2010 in collaboration with a law firm. This theme groups together categories of content that are criminally reprehensible under French law, such as child pornography, acts of violence or other illegal content. In a professional context, access to such content exposes the company to legal risks and engages the liability of the company director”.

This comparison makes it possible to quickly distinguish URLs defined as safe, already recognized and categorized, from unknown links, which may be potentially dangerous. GLIMPS Malware will exploit this database to provide a malicious verdict to any file containing a criminally objectionable URL.

More recently, the .qouv domain has been used in phishing campaigns aimed at imitating French government .gouv sites, a situation that can be managed thanks to Olfeo’s database. This enables us to detect this URL as unlisted, classify it as a high-risk domain, and block it before any attempt is made to compromise it.

But the analysis doesn’t stop there. When a suspicious URL is detected in a file, GLIMPS Malware can now carry out an in-depth analysis using all its detection and characterization engines. Several scenarios may then arise, depending on the nature of the link.

If the URL leads to a file: GLIMPS Malware downloads the associated file, then performs a full analysis to check whether it contains malware or other threats.

If the URL leads to a website: GLIMPS Malware downloads the website page and associated objects (scripts, images, etc.) to check for malicious code. This step ensures that no malicious exploitation or redirection attempts are triggered when a user visits the page. Once the analysis is complete, a preview of the site is generated, enabling analysts to view the page without having to connect to it directly.

The new URL qualification functionality is a major asset for cybersecurity teams, whether Security Operations Centers (SOCs) or Computer Security Incident Response Teams (CSIRTs). It enhances their investigative capabilities by enabling them to prioritize analyses and deepen their understanding of threats, whatever their level of intervention.

As Cédric points out: “We cover the whole spectrum of analysis, from the N1 who simply raises doubts about a URL, to the one who carries out an in-depth investigation of malware.”

For a Level 1 SOC team, this feature simplifies the process of raising doubts. When a user reports a suspicious URL, file or email, the analyst can quickly determine whether it’s a real threat.

For a Level 3 SOC or CSIRT team, whose aim is to carry out advanced investigations by analyzing malware behavior and recovering its payload, GLIMPS Malware offers a controlled and secure environment.

Indeed, many SOCs do not have the necessary tools to carry out advanced investigations. They often rely on virtual machines (VMs) which they have to configure manually to analyze suspicious files in an isolated environment.

GLIMPS Malware provides an automated and fully secure solution, offering a ready-to-use environment. This enables analysts to focus on the essentials: understanding the threat, anticipating attacks and deploying effective countermeasures.

GLIMPS Malware now provides its users with a full arsenal of tools for qualifying and characterizing the URLs contained in the files they analyze. Drawing on the full range of its detection technologies, coupled with the technological partnership of the sovereign Olfeo solution, GLIMPS meets the ever-increasing cyber challenges of today’s complex geopolitical context.

Would you like to find out more? Contact our sales team today by clicking on this link.