Early this month, IronNet analytics detected an unusual HTTPS connection between internal resources and 173.231.16[.]76.
A review of the PCAP showed the connection was initiated by a Chrome extension as it
contained an extension ID. This extension made a GET request to api.ipify[.]org. api.ipify[.]org is a well-known domain offering a public IP address API. Developers (anyone, really) can use api.ipify[.]org to get their public IP address in support of all sorts of services.
api.ipify[.]org and similar domains have long been used by malware to look up an infected device’s public IP. In research on malicious artifacts published by SANS, Jay Yanza detected api.ipify[.]org used as a third-party external IP lookup in 205 of 7747 unique file hashes. Other IP lookup sites totaled over 2000. Of all malware types, ransomware utilizes external IP lookups most often as it is generally a location-based threat. While an external IP lookup is not in and of itself malicious, it may be an unexpected occurrence that requires further investigation.
Malicious Chrome extensions are used to infiltrate endpoints via web browsers. Unfortunately, these extensions can sometimes be offered on the Chrome Web Store. McAfee, for example, discovered a fake Netflix Party Chrome extension in 2022 that stole gift card information inputted by the victim. These malicious extensions could easily reach out to a third-party lookup to ensure they had the correct victims or simply track their infections.
A simple Google search revealed the Chrome extension URL ID in question was for a legitimate and expected Chrome extension. Our team searched through the associated vendor’s documentation to see if this network connection was listed. But it wasn’t there, leading to concerns of potentially undocumented changes or compromise of the 3rd party vendor’s Chrome extension.
We reached out to the vendor to confirm whether the connection to api.ipify[.]org was expected. Initially, the vendor escalated the finding to their engineering team who indicated that the activity is expected but will determine if the connection is required or not. The vendor further added that it will update its documentation after determining whether doing so will break any functionality.
Although benign, this activity was an example of a legitimate extension reaching out to an undocumented domain. Security teams should be on the lookout for anomalous network connections in their environments, even from expected devices, applications, and extensions. External IP lookups, while not inherently bad, can be indications of anomalous or even malicious activity. Organizations should be aware of network behavior and permissions—both expected and unexpected—when it comes to the products provided by third parties.