Skip to content
Threat Feed
low advisory

Linux External IP Address Discovery via Curl

Malware and threat actors on Linux systems utilize the `curl` command to query public web services for external IP address discovery, a reconnaissance technique (T1016) that can precede further C2 establishment or targeted attacks.

This brief details a common reconnaissance technique employed by malware and threat actors operating on Linux systems: the discovery of a compromised host's external IP address using the curl utility. Attackers leverage curl to send requests to various public IP lookup services (e.g., ip-api.com, ifconfig.me), which then return the external IP address of the originating request. This action is crucial for attackers to understand their network egress point, configure command and control (C2) channels, or to tailor subsequent attack phases based on the victim's geographical or network location. The detection focuses on identifying curl executions where the command line arguments contain known domain patterns for these IP lookup services. This activity, while benign in some legitimate contexts, is frequently observed as a post-exploitation step, making it a valuable indicator of potential malicious activity.

Attack Chain

  1. Initial Compromise: An attacker gains initial access to a Linux system through various means (e.g., exploiting a vulnerability, phishing, weak credentials).
  2. Establish Foothold: The attacker establishes persistence and ensures continued access to the compromised system.
  3. Process Execution: The attacker executes the curl utility, often from a suspicious parent process or unusual directory.
  4. External IP Lookup: curl is directed to query a known public web service (e.g., api.ipify.org, icanhazip.com) to retrieve the host's external IP address.
  5. Information Gathering: The output of the curl command, containing the external IP, is captured by the attacker.
  6. Reconnaissance/C2 Setup: The obtained external IP address is then used by the attacker for further reconnaissance, establishing a stable command and control (C2) channel, or preparing for subsequent stages of their operation.

Impact

Successful external IP address discovery by an attacker, while not directly damaging, is a critical precursor to more impactful activities. It provides the adversary with essential network context, enabling them to bypass network segmentation, configure firewalls or routing for C2 communications, or identify targets within the same external network space. This can lead to subsequent data exfiltration, deployment of additional malware, or lateral movement within the victim's broader infrastructure, significantly increasing the risk of financial loss, data breach, or operational disruption.

Recommendation

  • Deploy the provided Sigma rule "Linux External IP Address Discovery via Curl" to your SIEM/EDR to detect this specific reconnaissance technique.
  • Ensure process creation logging is enabled for curl on Linux endpoints, as required for the detection rule to function effectively.
  • Block connections to the listed public IP lookup domains (e.g., ip-api.com, api.ipify.org, icanhazip.com) at the network perimeter where appropriate to limit an attacker's ability to perform this reconnaissance.
  • Investigate alerts generated by the "Linux External IP Address Discovery via Curl" rule, focusing on the parent process and execution path of curl for signs of compromise.

Detection coverage 1

Linux External IP Address Discovery via Curl

low

Detects the execution of 'curl' on Linux systems to query known public web services for external IP address discovery, a common reconnaissance technique used by malware.

sigma tactics: discovery techniques: T1016 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →

Indicators of compromise

38

domain

TypeValue
domainip-api.com
domaincheckip.dyndns.org
domainapi.ipify.org
domainwhatismyip.akamai.com
domainbot.whatismyipaddress.com
domainifcfg.me
domainifconfig.me
domainident.me
domainipof.in
domainip.tyk.nu
domainicanhazip.com
domaincurlmyip.com
domainwgetip.com
domaineth0.me
domainipecho.net
domainip.appspot.com
domainapi.myip.com
domaingeoiptool.com
domainapi.2ip.ua
domainapi.ip.sb
domainipinfo.io
domaincheckip.amazonaws.com
domainwtfismyip.com
domainfreegeoip.net
domainfreegeoip.app
domaingeoplugin.net
domainmyip.dnsomatic.com
domainwww.geoplugin.net
domainapi64.ipify.org
domainip4.seeip.org
domain*.geojs.io
domainportmap.io
domainapi.db-ip.com
domaingeolocation-db.com
domainhttpbin.org
domainmyip.opendns.com
domainipv4.icanhazip.com
domainipv6.icanhazip.com