Search
Close this search box.
geolocation_mac_ioc

Malware Using API to Detect MAC Address for Location Data

Freelance researcher Xavier Mertens discovered malware using a more detailed location service than previous types. For some time now, malicious software has queried IP data in order to determine if an infected victim was within a desired country or even a specific organization that was to be targeted. With this newer sample, the malware makes use of an API service that serves up detailed location data based on the last known location of a routers MAC address.

What does greater location accuracy help with?

For one, an attacker could better understand how their malware was spreading amongst related networks. It could also be used to better ID a specific branch location of a target for instance.

More details?

Alexander’s post goes into greater detail based on his observed sample. For ScoutDNS users, we pay special attention to domain based indicators.

Domain Indicators:

We can defend against malware with DNS filtering. We usually do this by blocking command and control domains. In this case, we could block the related API service if we have no use for it, or we can simply use it to search for any networks that have tried to access it.

icanhazip.com (domain used to retrieve WAN IP address)

api.mylnikov.org (API of the MAC address call service)

ScoutDNS makes it easy for organizations to quickly search across any number of networks and locations to find potentially malicious activity.

 

 

More To Explore

Custom Block Pages

We are happy to announce that custom block pages are here and available for all ScoutDNS accounts. Along with our improved block page service, operators

New Relay Caching Feature v1.3.1

Excited to announce we have added caching to the ScoutDNS relays. This allows the fastest possible queries to users and devices on network with sub-millisecond

Have any questions? Just Ask