BUG | IP address blocklists do not appear to be propagating to Virus Total

[g0d33p3rsec]

What is the problem you are experiencing?

This morning I merged a request, Phishing-Database/phishing#567, for a domain hosted at an IP address that had been added two days prior Phishing-Database/phishing#560.
https://www.virustotal.com/gui/ip-address/43.153.35.209

Screenshot

Checking a second IP from the same merge.
https://www.virustotal.com/gui/ip-address/156.244.41.57/

Screenshot

I checked an older IP address from from two weeks ago, Phishing-Database/phishing#534, with a similar false negative result.

https://www.virustotal.com/gui/ip-address/43.153.59.85/

Screenshot

How can we reproduce the problem?

To reproduce the problem:

1. add an IP address to the appropriate blocklists
2. wait for the changes to propagate to Virus Total (can try using a different indicator, such as an URI, to compare against)
3. search the related IP on Virus Total
4. observe the lack of results/ false negative for the Phishing Database

Do you have a screenshot?

No response

What did you expect to happen?

I would like clarification to make sure I am adding indicators to the appropriate list when triaging. It takes a lot more time to fully enumerate and report the activity hosted on the IP address than it does to add a single record.

Is there a workaround?

Enumerate the passive DNS results from the IP - Relations page of the Virus Total results. Search for the IP address on URLScan.io (this is specific to the USPS phishing actors using algorithmically generated and registered domain names) and from the results find the appropriate endpoint (I, i, us, etc.). Scan each of the enumerated domains using the appropriate URI.

Additional context

The USPS phishing campaigns that I have been recently tracking are hosted on Chinese infrastructure and use RDGAs for domain names. These are some of the more active phishing threats during the holiday season.

Log information

No response

[g0d33p3rsec]

In the meantime, I'll be working on backfilling the indicators from https://github.com/g0d33p3rsec/phishing/wiki/USPS-Phishing

[spirillen]

Think you should move this issue to https://github.com/Phishing-Database/dev-center/issues

[g0d33p3rsec]

Think you should move this issue to https://github.com/Phishing-Database/dev-center/issues

should I just copypasta it over or is there another mechanism for moving issues?

[g0d33p3rsec]

@spirillen there doesn't seem to be a Virus Total Sync label for the issues in https://github.com/Phishing-Database/dev-center/issues

should I just open a duplicate there and let them choose which of the two to close?

[spirillen]

@spirillen there doesn't seem to be a Virus Total Sync label for the issues in https://github.com/Phishing-Database/dev-center/issues

should I just open a duplicate there and let them choose which of the two to close?

Short answer, Copy paste it, and if possible delete this one, but do as YOU feels like, you have been granted the power in TRUST to you

[g0d33p3rsec]

thank you for moving this @funilrys

[g0d33p3rsec]

False negatives make me nervous so I went ahead and hacked together a quick script yesterday that allows me to grab the passive DNS entries from VirusTotal and feed them into urlscan. For the time being, I'll try to add an additional commit after adding the IP addresses to follow-up with the enumerated domains and URIs.