Released
December 13, 2024
Language
Python
license
Apache License 2.0
IoChecker
IoChecker dynamically determines whether indicators of compromise are still malicious, or can be removed from your blocklist and detection ruleset.
CONTEXT AND BACKGROUND
In the ever-evolving landscape of cybersecurity threats, traditional static methods of assessing malicious IP addresses and the (continued) validity of corresponding threat indicators (IoCs) often fall short, leading to a high rate of false positives . This is where IoChecker steps in, offering a dynamic and data-driven solution.
IoChecker leverages the internet scanner Censys to dynamically assess whether an IP address that was designated as malicious is in fact still under the control of an attacker. By continuously scanning and analysing real-time data, IoChecker provides a more accurate and up-to-date designation of malicious IPs than traditional static methods. This dynamic approach significantly reduces the likelihood of false positives and negatives, thus ensuring that security teams can focus on genuine (current) threats and respond more effectively. By looking at a variety of features available in the Censys data set, a change in ownership of a Command and Control (C2) server is immediately detected. IoChecker was successfully tested on four malware families, namely BazarLoader, BumbleBee, Emotet and QakBot.
This work will be presented December 15th 2024 at the CyberHunt 2024 conference, in Washington, D.C. The corresponding paper will be published in the proceedings.
SOFTWARE
IoChecker is a Python command-line tool that ingests the IP address of a C2 server and the date of first observed malicious activity and subsequently returns whether or not the IP address is still under control of an attacker.
SOURCE PROJECT
