Common forms of malware will sometimes attempt to gather information about their environment in order to gauge whether or not their victims are of particular interest. Often using system queries and identifier websites such as whatismyipaddress.com, their attempts to determine information such as a target’s public IP address, location and language can be easily identified by modern network monitors and anti-virus tools. Everyday interactions with legitimate websites can also provide much of the same information and because these actions are legitimate, they tend not to be monitored. Threat actors are therefore able to bypass automated defenses by abusing the many genuine websites that often won’t be blocked for business reasons.
Easily Accessible
Cookies are records of a user’s interactions with any given webpage; often stored on a local machine, they can be easily accessed by malware. Google, for example, has a useful cookie which tracks whether a user has accepted its terms of service, and which contains information on the state of agreement, the country in which the computer is located and the language of the browser used.
What’s more, some servers include additional information about the local machine in the response header which, while not as easily accessible to the average user, could be leveraged by malicious actors to gain a wide range of information, such as the machine’s settings, location and unique identifiers. Wikipedia’s response headers, for instance, highlight the wealth of valuable information available to the malicious actor that knows where to look. The ‘set cookie’ field alone contains the browser’s GeoIP – its country, city and GPS coordinates.
In addition to cookies and response headers, malware may use other sources to obtain information on the local environment. Some will use location and language, for example, or note the operating system to determine what additional files to deliver, while others will determine if a VPN is being used before deciding whether or not to run.
Leveraging Information
Environmental information such as this can be used to avoid having to directly query a local machine, thereby evading techniques that would trigger automated defenses. By using wikipedia.org to determine the region of an infected computer, for example, a malicious document could bypass network monitoring systems looking for web traffic to known identifier websites, and then download malware that is specifically tailored to combat the anti-virus software used in that particular region.
Some malware families won’t run unless the infected machine is located in a specific region, while other threat actors will make use of information such as a computer’s IP address to determine whether the machine is within an IP range of particular interest, such as Microsoft Azure or AWS.
Awareness and Intelligence
Automated systems and malware sandboxes will often monitor a list of events rarely made by legitimate software, such as system queries for information including cryptographic key generation, system language or operating system version. In addition, alerts can be triggered when certain domains or suspicious requests appear in network traffic.
It’s clear, therefore, that this website abuse technique offers several benefits to attackers, not least the fact that it is difficult for organizations to defend against. Google and Wikipedia can’t simply be blocked, after all, and local and network defenses may be unable to recognize traffic that is not inherently malicious. While it doesn’t disguise the connections between the malware and its C&C hosts or payload servers, it certainly hinders analysis and slows detection, enabling infections to progress further than they normally might.
By abusing legitimate websites, and leveraging tools that often can’t be blocked for business reasons, malicious actors are able to bypass automated defenses with a worrying amount of ease. It’s crucial, therefore, that every employee within an organization understands this particular threat vector and, complemented by human verified intelligence, is trained to recognize and report it as soon as it’s spotted.