Utilize abuse.ch’s data exposing malicious URLs with Spamhaus Intelligence API

Posted on
June 06, 2024 Author
Spamhaus Technology Team Read time
4 mins

API Malware Intelligence abuse.ch CTI Threat Hunting

In this guide

Introduction Get acquainted with URLhaus malware intelligence The URLhaus data you’ll uncover Where URLhaus data will add value via SIA Pairing URLhaus with Spamhaus’ Intelligence Access the data – for free!

Introduction

abuse.ch is one of the most well-regarded specialists of malware and botnet command and controller (C&Cs) data. Its primary goal is to collect, track, and share data signals to fight the good fight against these most disruptive cybercrime tactics. And with Spamhaus working for over 25 years to improve trust and safety on the internet, recognized as the authority on IP and domain reputation data, the value in providing these datasets together, via a single source, was an obvious move. From today, abuse.ch’s URLhaus data is available as a beta version for Spamhaus Intelligence API (SIA) users, and indeed free to Developer License users – learn more in this blog post.

Get acquainted with URLhaus malware intelligence

If you’re active in the cyber threat intelligence (CTI) industry, it’s likely you’re familiar with abuse.ch, and indeed, URLhaus data. Highly regarded among security vendors and analysts, network administrators, and researchers, URLhaus provides an expansive community-driven hub for individual experts to share and consume intelligence on malicious URLs that are being used for malware distribution.

Malicious URLs form the literal link between users and a malicious payload. It is crucial for businesses and end users to understand if the link they are clicking on, or a link that has been obfuscated, is a link that leads to an attempt at malicious behavior, be it a malicious payload or a phishing website.

Critically, URLhaus data is constantly tested to identify which URLs are active, and which URLs have been taken down, meaning it remains up to date and relevant. From our abuse.ch partnership, Spamhaus has now begun to surface URLhaus data via the Spamhaus Intelligence API (SIA). Security professionals can utilize this to support the identification and exploration of malicious URLs and domains, and delve deep to understand further connections.

The URLhaus data you’ll uncover

URLhaus data via SIA will highlight, and provide details on, various internet identifiers – URLs, domains, malware families, IPv4 addresses, ASNs and hashes (SHA256 or MD5). Some of the values you’ll gain visibility of are:

Online/offline: with URLs frequently re-evaluated, understand if a malicious endpoint is still reachable or not.
Tags: community generated identifiers typically associated with every entry, tags will return details such as activity type, associated malware family, payload file type etc.
Payload details: including MIME type, file format, file size, file name, sha256 hash output, and malware family associated.
Reporter: as you analyze, you can uncover if there are trends in the data contributed by a specific reporter, to pay particular attention to.

More information on the data can be found in our technical documentation here.

Where URLhaus data will add value via SIA

In essence, the URLhaus data via SIA will provide a comprehensive source of malware intelligence. Confirm malicious URLs and their payloads, in addition to high-confidence indicators of IP and domain reputation, all from a single source. At a high-level, the data will support with:

Threat hunting: Correlate business IT IOCs, and malicious resources used, when performing internal threat hunting activities. Observe signals related to IOCs to provide actionable proactive insight on threats. Improve prioritization on where remediation and defensive measures need to be implemented or enhanced. For more details on this use case, read here.

Automation: For organizations that have automated consumption pipelines and mature tooling, for example, those with Threat Intelligence Platforms, this data and ingestion mechanism can be configured to meet requirements for your specific and mature needs. Get reputational data on internet identifiers, and also drill down into malicious methods being used to harm users, from one API. For more details on this use case, read here.

Incident Response: Significant time can be spent on searching for details and additional context of IOCs to optimize remediation. URLhaus, IP, and domain reputation data offer a comprehensive, reliable source of information to discern how you can act more tactfully and efficiently when time is of the essence.

Pairing URLhaus with Spamhaus’ Intelligence

When using URLhaus data via SIA, you not only gain valuable malware-specific intelligence, but also rich and expansive IP and domain reputation data. Pivot between numerous, contextually-rich metadata points including exploited and exploiting IPs, botnet command and controller IPs, email traffic with poor reputation, and all domains observed by Spamhaus .

From a broad perspective, Spamhaus Intelligence API users can:

Enrich current threat intelligence sources
Establish more comprehensive insights
Provide confidence in investigative prioritization

Consume and/or pivot to different different data types, covering varying internet identifiers from a single, reputable source.

Access the data – for free!

The URLhaus data via SIA is released as a beta version. Why in beta? To give you an opportunity to influence ongoing product enhancements before a production-ready release. You can gain a long-term commercial license here – but to test out the data and share your feedback, sign up to the Developer License program here.

The Developer License is offered free for six months. Happy hunting!

Related Resources

API Malware Intelligence abuse.ch CTI Threat Hunting