Suspicious URL
ID |
suspicious_url |
Severity |
info |
Resource |
Network |
Tags |
dropper |
Description
This detector aims to detect hardcoded, probably obfuscated, URLs to suspicious files or hosts.
Rationale
Suspicious URLs may involve unusual patterns, unusual destinations, or non-standard ports:
-
Often, Malware establishes a communication channel with a remote command and control server controlled by attackers. In these cases, it’s common to find hardcoded C2 IPs or hostnames in the source code.
-
It may also attempt to exfiltrate data by generating network requests to them.
-
Frequently it also involves attempts to download additional malware payloads or updates. Malicious software may request files from external servers to enhance its capabilities or change its behavior.
Nowadays, many attacks are related to malicious file distributions from GitHub Raw files or Discord/ Telegram attachments.
Related Malware campaigns
This is a common feature that could be broadly found among malicious code. However, we can enumerate some popular variants using this technique:
-
3CX Supply Chain Attackunfolded in March 2023 as a significant supply chain security breach. The assailants successfully infiltrated applications by incorporating a compromised library file, leading to the subsequent download of an encrypted file housing Command & Control information.The affected software ran a downloader, SUDDENICON, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub. The decrypted C2 server was used to download a third stage identified as ICONICSTEALER, a dataminer that steals browser information.
Configuration
The detector has a parameter named url_evidence_kinds that allows configuring the URL kinds that the detector is going to report.
The available values are:
-
dangerous_file_extension
-
discord_attachment_link
-
discord_webhook_link
-
hardcoded_ip
-
ip_leakage
-
github_raw_link
-
telegram_attachment_link
-
tor_resource
-
snippet_hosting
-
file_hosting