The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)

Published on

Published on

Published on

Feb 1, 2024

Feb 1, 2024

Feb 1, 2024

The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)
The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)
The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)
The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)

The Accidental Malware Repository: Hunting & Collecting Malware Via Open Directories (Part 1)

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt across the open internet for malware, phishing pages, and whatever else may pose harm to the networks we defend.

For our initial blog in this hunting workshop, we'll leave our territory and peruse an open directory containing a phishing site, which also happens to be hosting the XWorm RAT.

Did You Know?

You can find open directories across a network of over 5,000 sources, enabling you to quickly pinpoint specific file names, sandbox results for hosted malware samples, exposed shell history, and more with a single click. If you haven't already, apply for an account and give the Hunt platform a try.

httpshuntioimagesblogsacc-malwareimg-1-3xwebpFigure 1: Hunt Open Directory Feature

One of our budding researchers discovered the IP address 65.1.224[.]214:80 while collecting intelligence on servers hosting malicious software. Digging deeper into the open directory, we see some interestingly named files, including a sub-directory titled "/We."

httpshuntioimagesblogsacc-malwareimg-2-3xwebpFigure 2: Suspect Open Dir

*You can download and obtain a file hash or see what other servers host the same file by clicking one of the buttons under "Actions."

For the eagle-eyed reader, you may have noticed that Hunt detects the lazily named "PowerShell.ps1" as the XWorm RAT. We'll take a look at that file, as well as the others, later. For now, let's check out the /We directory.

httpshuntioimagesblogsacc-malwareimg-3-3xwebpFigure 3: File contents of the /We directory

The folder contains several files, including images, an image folder, and HTML & PHP pages. Files titled "BlockChain_Login" and "Device_Verification" lead us to believe that whoever is controlling this server is attempting to phish user credentials, posing as the legitimate site, likely for the theft of digital currency.

Let's take a look at the malicious login page.

httpshuntioimagesblogsacc-malwareimg-4-3xwebpFigure 4: Spoofed Login Pagehttpshuntioimagesblogsacc-malwareimg-5-3xwebpFigure 5: Legitimate Login Page

If you've investigated phishing pages before, the malicious login page is often a carbon copy of the legitimate site, with limited functionality outside of capturing credentials on login.

If we refer back to the /We folder, there are files for the "Import Your Account" button. Clicking on the button reveals an additional attempt to steal the user's recovery phrase.

httpshuntioimagesblogsacc-malwareimg-6-3xwebpFigure 6: Attempt To Steal Private Key Phrase

So far, some web pages are attempting to spoof a digital currency financial services company. Interesting and worth reporting (hopefully, your users aren't trading currency on the company network), but the multiple .bat, .vbs, and .ps1 files may really pique your interest.

httpshuntioimagesblogsacc-malwareimg-7-3xwebpFigure 7: Batch File Which Initiates Execution

While a thorough analysis of the files themselves is outside the scope of this post, Downloader.bat, void of any obfuscation, downloads the PowerShell script we saw earlier.

httpshuntioimagesblogsacc-malwareimg-8-3xwebpFigure 8: PowerShell Script To Download .bat & .vbs files

The script, thoughtfully written with comments, downloads two files and checks if the documents already exist on the victim machine; if not, it executes the VBS file from a hidden window.

httpshuntioimagesblogsacc-malwareimg-9-3xwebpFigure 9: Malicious VBS File

Again, the visual basic file checks if the 2.bat file is on the victim host and, if so, runs the file silently.

httpshuntioimagesblogsacc-malwareimg-10-3xwebpFigure 10: Encoded Batch File

2.bat, when executed, drops a file named 2.bat.exe in the %TEMP% folder. Luckily, the decryption key can be found within the code, and decompression is trivial.

httpshuntioimagesblogsacc-malwareimg-11-3xwebpFigure 11: Decompressed & Decrypted Code

What Else Can I Find?

Short answer: just about anything you can think of. We constantly scan and update our database of open directories and their associated files, ensuring the most up-to-date information for defenders and researchers looking to analyze malicious samples and thwart actors attempting to damage their reputations.

As we progress in this series, we'll dive deeper into how Hunt can assist in hunting for the next significant threat, keeping our networks and brands safer one blog at a time.

Found something interesting using the Open Directories feature, please share it on X (Twitter), LinkedIn, or Mastodon.

This post will serve as the first in a long series of articles on using the platform to identify malicious infrastructure and hunt across the open internet for malware, phishing pages, and whatever else may pose harm to the networks we defend.

For our initial blog in this hunting workshop, we'll leave our territory and peruse an open directory containing a phishing site, which also happens to be hosting the XWorm RAT.

Did You Know?

You can find open directories across a network of over 5,000 sources, enabling you to quickly pinpoint specific file names, sandbox results for hosted malware samples, exposed shell history, and more with a single click. If you haven't already, apply for an account and give the Hunt platform a try.

httpshuntioimagesblogsacc-malwareimg-1-3xwebpFigure 1: Hunt Open Directory Feature

One of our budding researchers discovered the IP address 65.1.224[.]214:80 while collecting intelligence on servers hosting malicious software. Digging deeper into the open directory, we see some interestingly named files, including a sub-directory titled "/We."

httpshuntioimagesblogsacc-malwareimg-2-3xwebpFigure 2: Suspect Open Dir

*You can download and obtain a file hash or see what other servers host the same file by clicking one of the buttons under "Actions."

For the eagle-eyed reader, you may have noticed that Hunt detects the lazily named "PowerShell.ps1" as the XWorm RAT. We'll take a look at that file, as well as the others, later. For now, let's check out the /We directory.

httpshuntioimagesblogsacc-malwareimg-3-3xwebpFigure 3: File contents of the /We directory

The folder contains several files, including images, an image folder, and HTML & PHP pages. Files titled "BlockChain_Login" and "Device_Verification" lead us to believe that whoever is controlling this server is attempting to phish user credentials, posing as the legitimate site, likely for the theft of digital currency.

Let's take a look at the malicious login page.

httpshuntioimagesblogsacc-malwareimg-4-3xwebpFigure 4: Spoofed Login Pagehttpshuntioimagesblogsacc-malwareimg-5-3xwebpFigure 5: Legitimate Login Page

If you've investigated phishing pages before, the malicious login page is often a carbon copy of the legitimate site, with limited functionality outside of capturing credentials on login.

If we refer back to the /We folder, there are files for the "Import Your Account" button. Clicking on the button reveals an additional attempt to steal the user's recovery phrase.

httpshuntioimagesblogsacc-malwareimg-6-3xwebpFigure 6: Attempt To Steal Private Key Phrase

So far, some web pages are attempting to spoof a digital currency financial services company. Interesting and worth reporting (hopefully, your users aren't trading currency on the company network), but the multiple .bat, .vbs, and .ps1 files may really pique your interest.

httpshuntioimagesblogsacc-malwareimg-7-3xwebpFigure 7: Batch File Which Initiates Execution

While a thorough analysis of the files themselves is outside the scope of this post, Downloader.bat, void of any obfuscation, downloads the PowerShell script we saw earlier.

httpshuntioimagesblogsacc-malwareimg-8-3xwebpFigure 8: PowerShell Script To Download .bat & .vbs files

The script, thoughtfully written with comments, downloads two files and checks if the documents already exist on the victim machine; if not, it executes the VBS file from a hidden window.

httpshuntioimagesblogsacc-malwareimg-9-3xwebpFigure 9: Malicious VBS File

Again, the visual basic file checks if the 2.bat file is on the victim host and, if so, runs the file silently.

httpshuntioimagesblogsacc-malwareimg-10-3xwebpFigure 10: Encoded Batch File

2.bat, when executed, drops a file named 2.bat.exe in the %TEMP% folder. Luckily, the decryption key can be found within the code, and decompression is trivial.

httpshuntioimagesblogsacc-malwareimg-11-3xwebpFigure 11: Decompressed & Decrypted Code

What Else Can I Find?

Short answer: just about anything you can think of. We constantly scan and update our database of open directories and their associated files, ensuring the most up-to-date information for defenders and researchers looking to analyze malicious samples and thwart actors attempting to damage their reputations.

As we progress in this series, we'll dive deeper into how Hunt can assist in hunting for the next significant threat, keeping our networks and brands safer one blog at a time.

Found something interesting using the Open Directories feature, please share it on X (Twitter), LinkedIn, or Mastodon.

Related Posts:

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
Jul 22, 2025

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
Jul 22, 2025

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

630K gov.br Subdomains Abused in SEO Poisoning Attack
Jul 17, 2025

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.

630K gov.br Subdomains Abused in SEO Poisoning Attack
Jul 17, 2025

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.

Announcing Hunt 2.4
Jul 15, 2025

Hunt 2.4 adds archive-aware search, deeper SQL visibility, and improved phishing intel to make threat hunting faster, clearer, and more powerful.

Announcing Hunt 2.4
Jul 15, 2025

Hunt 2.4 adds archive-aware search, deeper SQL visibility, and improved phishing intel to make threat hunting faster, clearer, and more powerful.

Eggs, Alerts, and Adversaries: Talking with Jose Hernandez from Splunk
Jul 8, 2025

Splunk’s Jose Hernandez talks building detections, curious hires, Hunt.io in action, and balancing threat research with chickens and family life.

Eggs, Alerts, and Adversaries: Talking with Jose Hernandez from Splunk
Jul 8, 2025

Splunk’s Jose Hernandez talks building detections, curious hires, Hunt.io in action, and balancing threat research with chickens and family life.

Clickfix on macOS: AppleScript Stealer, Terminal Phishing, and C2 Infrastructure
Jul 22, 2025

Phishing campaign targets macOS with fake prompts that run AppleScript via terminal, stealing wallets, cookies, and sensitive files.

630K gov.br Subdomains Abused in SEO Poisoning Attack
Jul 17, 2025

Over 630K hijacked gov.br subdomains were exploited in a black hat SEO campaign using cloaking, keyword stuffing, and redirect techniques. Learn more.