Identifying and tracking the origin of an attack is critical for mitigating the damage caused by malware. One of the most effective methods to do so is by analyzing IP addresses, which can provide clues about when and where an attack first took place. In a recent incident response case, Veriti’s team employed this technique to uncover key insights about a malware infection, demonstrating how IP checking can be a valuable tool in the fight against cyber threats. 

The Importance of IP Address Checking 

In the latest incident, our team was tasked with analyzing the logs of a customer’s system to determine when the first infection occurred and who the initial target was. We began by examining whether any hosts in the organization had queried common “what is my IP” services. Interestingly, we found that many malware types rely on these services to track the IP address of infected hosts, providing the attacker with key information about the victim’s location and network. 

The malware examples we encountered showed how attackers use IP-related services during various stages of the infection process. Below are some of the services we found to be commonly used by malware to retrieve IP addresses: 

• Ipinfo.io/ip 

• Ipecho.net/plain 

• Api.ipify.org 

• Checkip.amazonaws.com 

• Wtfismyip.com/text 

• icanhazip.com 

Uncovering FormBook Malware: The Role of IP Services 

One specific case involved the discovery of FormBook malware, which attempts to capture the location of the victim upon the arrival of a malicious email. After the user opens the malicious attachment, the malware not only proceeds with the infection chain but also contacts multiple “IP lookup” domains to retrieve the IP address of the host. 

These IP services are critical for the malware to map the attack and identify which devices in the network have been compromised. By analyzing the logs and the connections made to these services, Veriti’s team was able to pinpoint when and where the infection occurred, providing crucial insights for the remediation process. 

Using BSSID for Precise Location Tracking 

In another interesting twist, we observed that certain malware types, such as Agent Tesla, go beyond IP address tracking and attempt to capture the BSSID (Basic Service Set Identifier) of the infected host’s Wi-Fi network. This information allows the attacker to determine the precise location of the victim by querying services such as Wigle.net, which maps BSSID data to geographic coordinates. 

The following command is commonly used by attackers to collect BSSID information: 

“cmd.exe” /C chcp 65001 && netsh wlan show networks mode=bssid 

This command opens a new Command Prompt instance, sets the character encoding to UTF-8, and displays detailed information about all available Wi-Fi networks in range, including their BSSIDs. By obtaining this data, attackers can precisely map the infected device’s location, adding another layer of sophistication to their attack strategy. 

Malware Using IP Lookups: A Broader Trend 

The use of IP lookups is not limited to a single malware type. Throughout our research, we found that several well-known malware families use IP services during their infection process. Some examples include: 

• TrickBot: This notorious banking trojan queries services such as checkip.dyndns.org and wtfismyip.com to retrieve the IP address of the infected host. 

• XMRig: A popular cryptominer, XMRig also queries IP lookup services to determine the location of infected devices. 

• PsiX Bot: Another sophisticated malware that leverages IP-related services to map out the network of compromised systems [image 6]. 

In each of these cases, the use of IP lookup services allows attackers to gather intelligence about the victim’s network, aiding them in spreading the infection or exfiltrating data. 

Expanding the Scope: Geo-Location Services Used by Malware 

Beyond IP addresses, attackers also rely on geo-location services to enhance their understanding of the infected network. Some of the geo-location services we identified during our research include: 

• api.2ip.ua 

• api.bigdatacloud.net 

• db-ip.com 

• ip-api.com 

• freegeoip.app 

• … 

These services provide detailed information about the geographical location of the host, enabling attackers to better target their attacks or evade detection based on location-specific factors. As more malware variants incorporate these tactics, it becomes increasingly important for security teams to monitor connections to these services and analyze the data to detect early signs of an infection. 

Monitoring IP Address Queries as a Defense Strategy 

The use of IP lookup services by malware is a widespread tactic that provides attackers with valuable intelligence. By monitoring connections to these services, security teams can gain early insights into potential infections and track the spread of malware across their network. 

At Veriti, we believe that understanding the tactics used by attackers, such as IP address checking and geo-location services, is crucial for building a strong defense. Our research shows that by tracking these activities, organizations can not only detect malware infections sooner but also respond more effectively to mitigate the damage. 

Incorporating IP address monitoring into your security strategy is a simple yet powerful way to enhance your organization’s threat detection capabilities. With the right tools and strategies in place, you can stay ahead of attackers.