Malware Using API to Detect MAC Address for Location Data

Freelance researcher Xavier Mertens discovered malware using a more detailed location service than previous types. For some time now, malicious software has queried IP data in order to determine if an infected victim was within a desired country or even a specific organization that was to be targeted. With this newer sample, the malware makes use of an API service that serves up detailed location data based on the last known location of a routers MAC address.

What does greater location accuracy help with?

For one, an attacker could better understand how their malware was spreading amongst related networks. It could also be used to better ID a specific branch location of a target for instance.

More details?

Alexander’s post goes into greater detail based on his observed sample. For ScoutDNS users, we pay special attention to domain based indicators.

Domain Indicators:

We can defend against malware with DNS filtering. We usually do this by blocking command and control domains. In this case, we could block the related API service if we have no use for it, or we can simply use it to search for any networks that have tried to access it. (domain used to retrieve WAN IP address) (API of the MAC address call service)

ScoutDNS makes it easy for organizations to quickly search across any number of networks and locations to find potentially malicious activity.



More To Explore

Scout360 Roaming Clients

I am happy to announce that ScoutDNS roaming clients are available and ready to install. We are calling our roaming client solution Scout360, for anywhere/everywhere

DNS Filtering Relay

Cloud Managed DNS Relay

After months of testing, fixing, building, and testing more, I am pleased to announce that the ScoutDNS Cloud Managed DNS Relay is here!

Have any questions? Just Ask