For threat analysts, identifying malicious websites that utilize similar HTML templates is crucial in uncovering coordinated threat campaigns. Threat actors frequently use template-based websites to rapidly deploy multiple sites targeting various organizations, making tweaks such as changing the HTML title, favicon, or displayed content. Our new HTML Content Similarity Search features empower you to detect these sites in a single, streamlined step, saving time, reducing complexity, and enhancing your threat-hunting capabilities.
Why HTML Content Similarity Search Matters
Threat actors rely on template-based websites to scale their operations efficiently. By reusing HTML structures with minor modifications, they can create numerous malicious sites quickly. Identifying these sites traditionally required a cumbersome three-step process: retrieving an HTML similarity hash (SSDeep hash), finding similar hashes with percentage matches, and pulling associated scan data, followed by manual deduplication. This process often demanded scripting expertise and multiple API calls. With HTML Content Similarity Search, we’ve eliminated these hurdles. The HTML Content Similarity Search streamlines threat hunting by providing deduplicated results, featuring the latest scan per hostname, sorted by highest percentage match and most recent scan date for maximum relevance.
Conduct an HTML Similarity Search
From the home page, select Web Data, and then select HTML Content Similarity Search.
Enter a URL or domain, or an SSDeep hash, to find all websites with similar HTML content in one go. For example,
icelcoin.top
.Select a similarity match range (50%-100%) to focus on sites that meet your investigative needs.
Click Search.
The Results pane opens.
Pivot to HTML Similarity Search
From Total View:
Select the Web Scanner tab.
Click the Expand link on the scan that is of interest.
Click on the html_body_ssdeep value.
Click on the HTML Similarity search tab.
Select the percentage match required and click the Search button.
From Web Scanner:
Run the web scanner query.
Click the Expand link on the scan that is of interest.
Click on the html_body_ssdeep value.
Click on the HTML Similarity search tab.
Select the percentage match required and click the Search button.
Table View: Advanced Data Customization and Export
The Table View provides a detailed and customizable interface for reviewing search results, similar to the web scanner table.
Key Features
Customizable Columns (three vertical columns): Tailor the data displayed by adding or rearranging columns. For example, if you need the hosting country for a domain like
icecoin.cc
, you can add a column for the country code or name. You can also adjust column widths or reorder them (e.g., prioritizing scan date, URL, or port).Manual Export (Soon to Be Download): Export results as a CSV or JSON array for use in custom scripts or external tools. You can export all results (up to 10,000) or only selected items.
Basic Raw Data Access: View basic raw data if you want to search through JSON arrays (e.g., to find specific keywords across the different scans).
Compare: Select two scans to perform a head-to-head comparison. This feature highlights differences (e.g., favicon, IP address, or domain) and similarities between the selected scans, making it easier to identify key distinctions.
Save to: Select specific results and save them to a Draft Feed (for ongoing research) or a Feed (for operational use, to share with others). You can also create a new feed directly from the interface.
List View
List View provides a simpler and more compact presentation of results. While it has fewer options than Table View, it remains highly functional.
Standard Pivot Control
The Standard Pivot Control is a universal feature available in both Table View and List View, making it one of Silent Push’s most powerful tools for threat intelligence and data exploration.
Key Capabilities
Total View: Access a comprehensive overview of a domain or IP, including threat intelligence, DNS records, and more.
Live On-Demand Scan: Perform a real-time scan to get the freshest data, bypassing cached database results.
Screenshots: Generate screenshots to compare content similarity (e.g., confirming how similar a scanned site is to a reference like
icecoin.cc
).Pivot to Web Scanner: Seamlessly search for related results in the web scanner or explore additional threat intelligence tied to a domain or IP.
Silent Push’s Table View, List View, and Standard Pivot Control offer flexible and powerful ways to analyze HTML content similarity search results. Whether you prefer the customizable depth of Table View, the simplicity of List View, or the robust analysis of the Pivot Control, Silent Push equips you with tools to save, export, and compare data effectively.