macOS DNS Request for IP Lookup Service via Unsigned Binary

This activity detects when a DNS request is made for an IP lookup service to determine the external IP address of a macOS system via an unsigned or untrusted binary. This technique is frequently employed by malware for reconnaissance purposes prior to establishing command and control (C2) communications. The detection focuses on identifying DNS queries from processes lacking valid code signatures, which can indicate the presence of malicious or suspicious software. A typical pattern involves an unsigned Mach-O or script resolving domains like api.ipify.org or ipinfo.io immediately after execution, followed by outbound beacons. This activity is important to detect as it is an early stage indicator of compromise, allowing defenders to disrupt potential malware before further malicious actions can be performed.

Attack Chain

1. A malicious or unwanted application is executed on a macOS system, often without a valid code signature or trusted signature.
2. The application attempts to determine the system’s external IP address to potentially tailor further actions.
3. To discover the external IP, the application performs a DNS lookup for a known IP lookup service domain (e.g., api.ipify.org, ipinfo.io).
4. The DNS query is resolved, providing the application with the system’s external IP address.
5. The application may then use the IP address to determine the system’s geolocation or other network-related information.
6. Based on the gathered information, the application may select a command and control (C2) server or adjust its behavior.
7. The application initiates a connection to the selected C2 server, potentially downloading further malicious payloads or receiving instructions.
8. Finally, malware establishes C2 communication and starts exfiltrating data or performing other malicious actions.

Impact

Compromised systems can lead to data exfiltration, unauthorized access, and further propagation of malware within the network. Successful reconnaissance allows attackers to tailor their attacks, potentially evading detection and maximizing impact. While the severity is medium, early detection of this activity is crucial to prevent more significant damage. The absence of a valid code signature increases the likelihood of the process being malicious.

Recommendation

• Deploy the Sigma rule “Detect DNS Request for IP Lookup Service via Unsigned Binary” to your SIEM and tune for your environment to detect unsigned binaries querying for IP lookup services.
• Investigate any alerts generated by the Sigma rule, focusing on the process’s origin, parent processes, and subsequent network activity.
• Block the observed IP-lookup domains listed in the IOC table at the DNS resolver to prevent further reconnaissance.
• Isolate affected macOS hosts from the network if unsigned processes continue to resolve IP-lookup domains or initiate new outbound connections.
• Acquire and analyze any unsigned binaries identified by the detection rule to confirm intent and scope of compromise.