Suspicious Request

ID

suspicious_request

Severity

low

Resource

Network

Tags

dropper

Description

This detector aims to detect code performing requests to suspicious resources or sites.

Rationale

Suspicious requests may involve unusual patterns, unusual destinations, or non-standard ports:

  • Often, Malware establishes a communication channel with a remote command and control server controlled by attackers. In these cases, it’s common to find hardcoded C2 IPs or hostnames in the source code.

  • It may also attempt to exfiltrate data by generating network requests to them.

  • Frequently it also involves attempts to download additional malware payloads or updates. Malicious software may request files from external servers to enhance its capabilities or change its behavior.

    Nowadays, many attacks are related to malicious file distributions from GitHub Raw files or Discord/ Telegram attachments.

Related Malware campaigns

This is a common feature that could be broadly found among malicious code. However, we can enumerate some popular variants using this technique:

  • 3CX Supply Chain Attack unfolded in March 2023 as a significant supply chain security breach. The assailants successfully infiltrated applications by incorporating a compromised library file, leading to the subsequent download of an encrypted file housing Command & Control information.

    The affected software ran a downloader, SUDDENICON, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub. The decrypted C2 server was used to download a third stage identified as ICONICSTEALER, a dataminer that steals browser information.

Configuration

The detector has the following configurable parameters:

  • sources, that indicates the source kinds to check. Available values are:

    • github_raw_link

    • dangerous_file_extension

    • discord_attachment_link

    • discord_webhook_link

    • github_raw_link

    • hardcoded_ip

    • ip_leakage

    • telegram_attachment_link

    • tor_resource

    • snippet_hosting

  • file_hosting

  • sinks, that indicates the sink to check. Available values are:

    • insecure_transport

  • neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.

References