Last week, I found a malware sample that does nothing fancy, it’s a data stealer but it has an interesting feature. It’s always interesting to have a look at the network flows generated by malware samples. For a while, attackers use GeoIP API services to test if the victim’s computer deserves to be infected… or not! By checking the public IP address used by the victim, an attacker might prevent “friends” to be infected (ex: IP addresses from the attacker’s country) or if the IP address belongs to a security vendor. On the other side, the attacker might decide to infect the computer because it is located in a specific country or belongs to the targeted organization. There is plenty of free APIs that offer this feature. The ISC API provides also the same kind of details (but only the country)
Article Link: https://isc.sans.edu/diary/rss/26910