Part 3 De-Anonymizing Domains on the Dark Web – Favicon matching

Part 3 De Anonymizing Domains on the Dark Web – Favicon matching

Favicon Matching

The second method that is used to uncover a dark web based website on the surface internet (clear internet) is the process of “favicon matching”. A favicon is an icon that has to do with a URL that is shown in the browsers address bar or next to a website name in the bookmark list. In a nutshell they serve as visual branding badge for a website.

Just like TLS certificate matching, the public internet can be indexed to see if any favicons found on sites on the dark web appear on the surface or clear web as well.

Such files are stored in public directories using the standard naming of favicon which makes their discovery obvious. Using Shodan to crawl the surface web the favicon.ico is indexed.


The Quantum Ransomware Gang

The Quantum Ransomware Gang’s website where this type of technique can be used to discover their infrastructure that is exposed to the public internet.

This group has been making headlines as of late due to their high speed ransomware campaigns though they can still make simple operational security failures (OPSEC).

Like other groups they operate a hidden blog about their services on TOR where they post stolen data.



Looking at the gangs web page on the TOR network one can see that it contains a favicon file that is kept in the web root directory called favicon.ico.
With this the Talos team were able to obtain the file and calculate its hash value, but luckily the Shodan platform indexes these hashes which can then be searched for.
As a result of the above the Talos team were able to see that a single site that was using this favicon.
They were then able to obtain the IP address of the site on the surface web of 185.38.185[.]32 (AS60781)which is an IP address of a provider in the Netherlands. This site can be visited and confirmed that it is hosting the same content.
 The findings by Talos were also confirmed by fellow researcher Soufiane Tahiri (@S0ufi4n3).


Associated Domains

Carrying out a reverse dns lookup (rDNS) of the IP Address we see some of the domains associated with this IP as well as dynamic DNS subdomains.

Leave a Reply

Your email address will not be published. Required fields are marked *