{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unsigned_binary/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["discovery","macos","dns","reconnaissance","unsigned_binary"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis activity detects when a DNS request is made for an IP lookup service to determine the external IP address of a macOS system via an unsigned or untrusted binary. This technique is frequently employed by malware for reconnaissance purposes prior to establishing command and control (C2) communications. The detection focuses on identifying DNS queries from processes lacking valid code signatures, which can indicate the presence of malicious or suspicious software. A typical pattern involves an unsigned Mach-O or script resolving domains like api.ipify.org or ipinfo.io immediately after execution, followed by outbound beacons. This activity is important to detect as it is an early stage indicator of compromise, allowing defenders to disrupt potential malware before further malicious actions can be performed.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious or unwanted application is executed on a macOS system, often without a valid code signature or trusted signature.\u003c/li\u003e\n\u003cli\u003eThe application attempts to determine the system\u0026rsquo;s external IP address to potentially tailor further actions.\u003c/li\u003e\n\u003cli\u003eTo discover the external IP, the application performs a DNS lookup for a known IP lookup service domain (e.g., api.ipify.org, ipinfo.io).\u003c/li\u003e\n\u003cli\u003eThe DNS query is resolved, providing the application with the system\u0026rsquo;s external IP address.\u003c/li\u003e\n\u003cli\u003eThe application may then use the IP address to determine the system\u0026rsquo;s geolocation or other network-related information.\u003c/li\u003e\n\u003cli\u003eBased on the gathered information, the application may select a command and control (C2) server or adjust its behavior.\u003c/li\u003e\n\u003cli\u003eThe application initiates a connection to the selected C2 server, potentially downloading further malicious payloads or receiving instructions.\u003c/li\u003e\n\u003cli\u003eFinally, malware establishes C2 communication and starts exfiltrating data or performing other malicious actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromised systems can lead to data exfiltration, unauthorized access, and further propagation of malware within the network. Successful reconnaissance allows attackers to tailor their attacks, potentially evading detection and maximizing impact. While the severity is medium, early detection of this activity is crucial to prevent more significant damage. The absence of a valid code signature increases the likelihood of the process being malicious.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect DNS Request for IP Lookup Service via Unsigned Binary\u0026rdquo; to your SIEM and tune for your environment to detect unsigned binaries querying for IP lookup services.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the process\u0026rsquo;s origin, parent processes, and subsequent network activity.\u003c/li\u003e\n\u003cli\u003eBlock the observed IP-lookup domains listed in the IOC table at the DNS resolver to prevent further reconnaissance.\u003c/li\u003e\n\u003cli\u003eIsolate affected macOS hosts from the network if unsigned processes continue to resolve IP-lookup domains or initiate new outbound connections.\u003c/li\u003e\n\u003cli\u003eAcquire and analyze any unsigned binaries identified by the detection rule to confirm intent and scope of compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-macos-unsigned-ip-lookup/","summary":"An unsigned or untrusted binary on macOS is performing DNS requests for IP lookup services to determine the system's external IP address, which is commonly used by malware for reconnaissance before establishing C2 connections.","title":"macOS DNS Request for IP Lookup Service via Unsigned Binary","url":"https://feed.craftedsignal.io/briefs/2024-01-macos-unsigned-ip-lookup/"}],"language":"en","title":"CraftedSignal Threat Feed — Unsigned_binary","version":"https://jsonfeed.org/version/1.1"}