Cyber threat intelligence Report

Malware Activity Investigation: IP Address 20.217.217.224

Prepared by : Vijaykumar Prajapati
Field of work : cyber security researcher
Table of contents
1. Executive Summary
2. Detection and Findings
2.1 Detailed Phishing Detection
2.2Detailed Malware Activity
3. Indicators of Compromise (IOCs)
4.Potential Scenarios Involving This IP
5. Recommendations
6. Prevention Measures
6.1 Network Security Measures
6.2 Secure Remote Desktop Protocol (RDP)
6.3 Phishing Mitigation
6.4 Malware Prevention
6.5 Incident Response Preparedness
6.6 Threat Intelligence Integration
7. Conclusion
1. Executive Summary

IP address 20.117.117.224 has been flagged for malicious activity, including phishing campaigns and
malware distribution, as well as exposing an RDP service that could be exploited for unauthorized
access. Despite being hosted under Microsoft’s infrastructure, this IP presents a significant security
risk.
To address these threats, organizations should take immediate action by blocking the IP, securing
remote desktop services, and deploying endpoint protection to prevent malware infections. In
addition, enhancing email security, training staff to recognize phishing attacks, and integrating threat
intelligence will help further mitigate risks.
By implementing these prevention measures, businesses can reduce exposure to attacks and
strengthen their cybersecurity posture against evolving threats.

The image shows a table of security vendors that have flagged an IP address (20.117.117.224) for
phishing and malicious activities. Here's a summary:
1.1 Phishing Detection:

Multiple vendors, including alphaMountain.ai, BitDefender, ESET, Gridinsoft, Phishtank, SOCRadar,

Sophos, Trustwave, VIPRE, and others, flagged the IP as Phishing.
1.2 Malicious Activity:

Some vendors, such as Cluster25, CyRadar, and SecLookup, identified the IP as Malicious.
This indicates that the IP address is highly suspicious and likely involved in malicious or phishing
activities based on analyses from various security tools. Proceed with caution when interacting with
resources associated with this IP.
2. Detection and Findings :

2.1 Detailed Phishing Detection

Phishing refers to fraudulent attempts to steal sensitive information such as login credentials,
financial details, or personal data by impersonating a trustworthy entity. The analysis of this IP
reveals the following details:
Vendors Reporting Phishing Activity
1. alphaMountain.ai:
o A security intelligence vendor specializing in detecting phishing campaigns and
malicious URLs. They flagged the IP for phishing behavior, likely due to its
association with deceptive websites or suspicious domains.
2. BitDefender:
o A global leader in cybersecurity solutions. The flag suggests that the IP may host or
be involved in delivering phishing attacks through compromised websites, fake login
pages, or emails.
3. ESET:
o Known for advanced threat detection. The detection indicates the IP could be linked
to phishing tactics targeting individuals or organizations to steal credentials or
confidential information.
4. Gridinsoft:
o Security tools provider focusing on malware and phishing detection. Their flag likely
points to phishing infrastructure hosted on this IP.
5. Phishtank:
o A specialized community-driven phishing database. This detection is significant as
Phishtank focuses entirely on identifying and verifying phishing threats.
6. SOCRadar:
o A vendor providing threat intelligence. Their report implies that the IP is a source or
intermediary in phishing campaigns.
7. Sophos:
o A well-established cybersecurity company. Their detection confirms phishing activity
tied to this IP, suggesting involvement in fraudulent activities like credential theft.
8. Trustwave:
o Focuses on managed threat detection. The IP’s classification as phishing indicates its
use in schemes to impersonate reputable brands or services.
9. VIPRE:
o Provides advanced email and threat detection. The flag indicates that this IP is used in
phishing attempts, possibly for email-based fraud.
2.2 Detailed Malware Activity Summary :

Malware activity refers to the use of this IP for purposes like hosting, distributing, or controlling
malware. Malware can include viruses, ransomware, trojans, spyware, or any software designed to
cause harm. The vendors who flagged this IP provide key insights into its behavior:
Vendors Reporting Malicious Activity
1. Cluster25:
o A cybersecurity and threat intelligence vendor specializing in malware campaigns and
advanced persistent threats (APTs). Their flag indicates that the IP may be part of a
malware distribution network, hosting malicious files or acting as a command-and-
control (C2) server.
2. CyRadar:
o Known for advanced detection mechanisms that analyze network behavior and
anomaly detection. CyRadar’s classification of this IP as malicious implies that it
might be involved in delivering malware payloads or participating in botnet activities.
3. SecLookup:
o A threat intelligence provider that focuses on identifying emerging threats. Their
detection indicates that the IP is either directly hosting malware or being used as part
of malicious operations such as phishing campaigns or exploit kits.
2.3 Key Details from the Image

1. IP Address: 20.117.117.224
2. Service:
o RDP (Remote Desktop Protocol): Port 3389/TCP
o Labels: "Network Administration" and "Remote Access"
3. Routing:
o Assigned to: 20.64.0.0/10 via Microsoft Corp-MSN-AS-Block, US (AS8075)
4. Details for RDP Service:
o Version: Unknown
o Features Supported:
 Extended Client Data: Enabled
 Dynamic Graphics Pipeline: Enabled
 Negotiation Reserved: Enabled
 Restricted Admin Mode: Enabled
 Restricted Auth Mode: Enabled
5. Geographic Information:
o City: London
o Province: England
o Country: United Kingdom (GB)
o Coordinates: 51.50853, -0.12574
o Timezone: Europe/London
6. Last Seen: December 11, 2024, at 2:11 UTC
3. Indicators of Compromise (IOCs)

3.1 Phishing Activity

Definition: Phishing involves tricking victims into providing sensitive information through deceptive
emails, websites, or messages.
 Phishing Reports:
o Security vendors like Phishtank, BitDefender, and ESET flagged this IP as associated
with phishing campaigns.
o Likely Indicators:
 Hosting fake login pages (e.g., mimicking banking or corporate portals).
 Being linked to malicious URLs distributed via phishing emails.
o Impact:
 Users accessing domains tied to this IP risk having sensitive information like
credentials or personal data stolen.
 Example Use Case:
o A phishing attack may lure users to click on a link redirecting them to an IP-hosted
phishing site designed to steal login credentials.

3.2 Malware Activity

Definition: Malware activity includes using the IP to distribute or control malicious software.
 Malware Reports:
o Vendors like Cluster25 and CyRadar flagged the IP for malicious activity.
o Possible Roles:
 Hosting malicious files for download (e.g., ransomware, trojans).
 Acting as a Command-and-Control (C2) server for botnets or infected devices.
o Impact:
 Infection of endpoints with harmful payloads, leading to data theft,
encryption (ransomware), or system compromise.
o Example:
 An attacker could use the IP to control ransomware spread across
compromised devices in a network.
3.3 Exposed RDP (Remote Desktop Protocol)

Definition: RDP services on port 3389 allow remote access to systems, often exploited for
unauthorized entry.
 Observations:
o The IP is running an RDP service with advanced features like:
 Restricted Admin Mode: Could be used to secure access but also exploited if
credentials are weak or stolen.
 Dynamic Graphics Pipeline: Indicates the service is configured for high-
performance remote sessions.
o Security Risks:
 Brute-force Attacks: Attackers may attempt to guess login credentials.
 Credential Theft: RDP credentials, if exposed, can provide direct access to
internal systems.
 Exploitation: Vulnerabilities in RDP services can be used for lateral
movement within a network.
o Historical Threats:
 Exposed RDP services are commonly targeted in ransomware campaigns and
for distributing malware.

3.4 Geographic and Routing Information

 Hosting and Location:

o The IP belongs to Microsoft’s AS8075 infrastructure, located in London, United
Kingdom.
o While Microsoft infrastructure is legitimate, attackers can exploit cloud services to
host malicious content or run phishing campaigns under the guise of reputable
services.
 Potential Risks:
o Attackers may use the credibility of the hosting provider to evade detection, making it
harder to discern legitimate activity from malicious behavior.

3.5 Threat Labels

 Labels: "Network Administration" and "Remote Access"

o These labels suggest that the IP is used for legitimate purposes, such as system
administration or hosting remote access services.
4. Potential Scenarios Involving This IP

1. Phishing Campaign:
o The IP could host phishing websites impersonating legitimate entities, collecting
sensitive user credentials or personal data.
2. Malware Distribution:
o The IP may deliver malicious payloads (e.g., trojans or ransomware) disguised as
legitimate downloads.
3. C2 Server Activity:
o It could act as a command-and-control hub, managing malware-infected devices in a
botnet.
4. Exploitation of RDP:
o The exposed RDP service may be exploited for unauthorized access or as an entry
point into networks
5. Recommendations

1. Blocklisting:
o Block the IP at firewalls and endpoint protection systems to prevent accidental access.
2. Monitor Network Traffic:
o Look for unusual traffic patterns to/from this IP, which could indicate ongoing attacks
or infections.
3. Secure RDP Services:
o Ensure all RDP services in your infrastructure are properly secured with strong
passwords, multi-factor authentication (MFA), and IP restrictions.
4. Threat Intelligence:
o Continuously monitor the IP in threat databases for updated activity and further IOCs.
5. Incident Response:
o If any systems have interacted with this IP, perform forensic analysis and malware
scans to check for compromises.
6. Prevention Measures to Mitigate Risks Associated with IP 20.117.117.224

Given the observed phishing and malware activities, along with the exposed RDP service, here are
recommended prevention measures:

6.1 Network Security Measures

 Block the IP Address:

o Add 20.117.117.224 to your firewall or network blocklist to prevent any
communication with this IP.
 Monitor and Analyze Traffic:
o Use Intrusion Detection/Prevention Systems (IDS/IPS) to monitor unusual traffic
patterns to/from the IP.
o Perform regular log analysis to identify any attempted access to the flagged IP.

6.2 Secure Remote Desktop Protocol (RDP)

 Restrict RDP Access:

o Disable RDP on all devices where it is not required.
o Restrict RDP to internal traffic or specific, trusted IP addresses.
 Enable Strong Authentication:
o Use multi-factor authentication (MFA) for RDP sessions.
o Enforce strong, complex passwords for all accounts with RDP access.
 Implement RDP Gateway:
o Route all RDP sessions through a secure gateway to monitor and control access.
 Patch and Update RDP Services:
o Apply the latest security updates to prevent exploitation of known vulnerabilities.

6.3 Phishing Mitigation

 Email Security:
o Deploy email filtering solutions to detect and block phishing emails before they reach
users.
o Train employees to recognize phishing emails and report suspicious activity.
 Domain Monitoring:
o Regularly check for malicious domains or websites hosted on this IP.
o Use URL filtering to block access to phishing sites.
6.4 Malware Prevention

 Endpoint Protection:
o Deploy antivirus and anti-malware solutions on all endpoints.
o Regularly update endpoint security tools to detect the latest threats.
 Content Filtering:
o Use web filtering solutions to block access to malicious or suspicious URLs hosted
on this IP.
 Regular Scanning:
o Conduct vulnerability scans and malware checks on all devices and network
infrastructure.

6.5 Incident Response Preparedness

 Establish an Incident Response Plan:

o Develop a clear process to handle potential breaches involving flagged IPs like this
one.
o Ensure regular training for the response team.
 Quarantine Infected Systems:
o Immediately isolate systems that show signs of connecting to this IP or exhibit
unusual behavior.
 Backup and Recovery:
o Maintain regular, secure backups of critical data.
o Test recovery procedures to ensure data can be restored without relying on
compromised systems.

6.6 Threat Intelligence Integration

 Continuous Monitoring:
o Subscribe to threat intelligence feeds to stay updated on new IOCs related to this IP.
o Use automated tools to integrate threat intelligence into your security tools (e.g.,
SIEM systems).
 Collaborate with Cybersecurity Communities:
o Share information on this IP's activities with security teams and communities to
strengthen defenses collectively.
7. Conclusion

IP 20.117.117.224 poses significant risks due to its involvement in phishing, malware activities, and
exposed RDP services. To mitigate these threats, block the IP, secure RDP access, enhance endpoint
and email security, and implement continuous monitoring. Proactive defenses like staff training,
incident response readiness, and threat intelligence integration are essential to prevent potential
compromises and protect your organization.