Maltiverse is a powerful threat intelligence platform designed to help cybersecurity professionals, researchers, and organizations identify and respond to potential threats. At the heart of Maltiverse are Indicators of Compromise (IoCs)—these are digital clues, like fingerprints, that suggest malicious activity on a network or system. IoCs can include things like suspicious IP addresses, domain names, URLs, or file hashes associated with malware.
In this article, we’ll break down the main types of IoCs supported by Maltiverse in simple terms. IoCs help you detect breaches, block threats, and investigate incidents. For example:
- Threat Hunting: Search for known malicious IoCs in your logs.
- Incident Response: Analyze an IoC to understand its origin and impact.
- Enrichment: Add context to alerts from your security tools.
- Sharing: Export IoCs in formats like STIX for collaboration.
Maltiverse gathers data from blacklists (trusted threat sources), user submissions, and private intelligence. Each IoC includes timestamps for creation and last update, plus details like country of origin or associated tags (e.g., “phishing” or “malware”).
You can search for these IoCs using Maltiverse’s advanced Maltiverse Query Language. This allows you to filter by type, classification, flags, or other attributes to find exactly what you need.
Now, let’s dive into the four main IoC types.
IP Addresses (IPv4 and IPv6) #
IP addresses are like street addresses for devices on the internet. Maltiverse tracks both IPv4 (e.g., 192.0.2.1) and IPv6 (e.g., 2001:db8::1) addresses, helping you spot suspicious network connections.
Key Details You’ll See #
- Location Info: Country, city, state, latitude/longitude, and postal code.
- Network Details: Autonomous System (AS) name and number (e.g., AS15169 Google LLC), CIDR blocks, and registrant name.
- Counts: Number of domains resolving to this IP, including whitelisted or blacklisted ones; also, malicious URLs hosted here (online or offline).
- Blacklists: Sources that flagged this IP, with sighting counts and dates.
- Classification and Score: Based on activity—e.g., malicious if linked to attacks.
- Timestamps: When the IP was last updated or allocated.
Common Flags #
These indicate specific risks:
- Is it a hosting provider, CDN, or proxy?
- Is it a Tor node, VPN, mining pool, scanner, attacker, sinkhole, C&C server, or malware distributor?
- Is it an IoT threat?
Why It’s Useful #
IPs often appear in logs during attacks. For instance, a flagged IP might be distributing malware—block it to protect your network. Search for IPs using queries like type:ip AND classification:malicious in the search engine.
To view all IP addresses: https://maltiverse.com/intelligence/search;query=type:ip
To view all IPv4 addresses: https://maltiverse.com/intelligence/search;query=type:ip%20AND%20ip_version:4
To view all IPv6 addresses: https://maltiverse.com/intelligence/search;query=type:ip%20AND%20ip_version:6
Hostnames (Domains) #
Hostnames are human-readable names for websites or servers, like “example.com”. Maltiverse analyzes them for signs of phishing, malware hosting, or other threats.
Key Details You’ll See #
- WHOIS Info: Registrant name and organization, address, email, nameservers, status, and WHOIS server.
- Domain Details: Creation, update, and expiration dates; top-level domain (TLD) like “.com”; resolved IPs with timestamps.
- Location Info: Country, city, state, and postal code.
- Network Details: AS name and number.
- Counts: Online or offline malicious URLs associated with the hostname.
- Blacklists: Flagging sources and dates.
- Classification and Score: E.g., suspicious if the domain is newly registered and has high entropy (random-looking characters).
- Timestamps: Last online time.
Common Flags #
- Is it alive (responsive)?
- Is it a C&C, malware distributor, IoT threat, mining pool, proxy, phishing site, phishing storage, Tor node, or VPN?
Why It’s Useful #
Malicious domains are common in phishing emails or drive-by downloads. Check if a domain is expiring soon—it might be abandoned by attackers. Use queries like type:hostname AND flag:is_phishing in the search engine to find threats.
To view all hostnames: https://maltiverse.com/intelligence/search;query=type:hostname
URLs #
URLs are full web addresses, like “http://example.com/malicious-file”. Maltiverse breaks them down to reveal hidden risks.
Key Details You’ll See #
- Parsed Components: Hostname, domain, TLD, and IP (if the URL points directly to one).
- Checksum: A unique hash for quick identification.
- Blacklists: Sources that detected the URL as harmful.
- Classification and Score: Often malicious if linked to phishing or malware.
- Timestamps: Last online time.
Common Flags #
- Is it an IoT threat, alive, C&C, malware distributor, or phishing?
Why It’s Useful #
URLs are entry points for attacks via emails or ads. A flagged URL might lead to a scam site—analyze it to warn users. Search with queries like type:url AND classification:suspicious in the search engine.
To view all URLs: https://maltiverse.com/intelligence/search;query=type:url
Samples (File Hashes) #
Samples refer to files, identified by hashes (unique digital fingerprints). Maltiverse supports hashes like MD5, SHA1, SHA256, and SHA512 for malware analysis.
Key Details You’ll See #
- Hashes: Multiple types for cross-verification.
- File Info: Size, type (e.g., executable), filenames, and AV detection ratio.
- Behavioral Data: Mutexes (locks used by malware), contacted hosts, DNS requests, Suricata alerts, HTTP traffic, processes, and antivirus hits.
- Blacklists: Sources labeling the file as malicious.
- Classification and Score: High if many AVs detect it.
- Timestamps: Creation and modification.
Common Flags #
None specific, but inherits general ones if applicable.
Why It’s Useful #
File hashes help identify malware in your systems. For example, a sample with network alerts might be ransomware—quarantine it. Query samples using type:sample AND filetype:executable in the search engine.
To view all samples: https://maltiverse.com/intelligence/search;query=type:sample
Tips for Using IoCs in Maltiverse #
- Search Smartly: Combine filters like
classification:malicious AND is_phishing:truefor targeted results. See the full query syntax. - Enrich Your Tools: Integrate Maltiverse IoCs into SIEMs or firewalls via API.
- Stay Updated: IoCs evolve—check modification times for fresh intel.
If you have questions or need help with searches, reach out to Maltiverse support. Stay safe out there!
