Everything You Wanted to Know about the Malware Patrol Feeds

Malware Patrol logo

With the recent launch of our Cyber Intelligence Marketplace, we’re excited to continue our blog series that highlights each of our partners. In this blog, we would like to introduce you to our new partner Malware Patrol.

Malware Patrol has two threat feeds available in the marketplace, Malware Patrol Essentials and Malware Patrol Enterprise.

Who is Malware Patrol? Tell Us About Yourself?

Malware Patrol’s origins date back to 2005 when its founder, Andre Correa, began to share malicious URLs by email with fellow security enthusiasts. Eventually, an entire platform and infrastructure were developed to offer blocklists to the community. We began our commercial threat intelligence services about eight years ago.

Malware Patrol is very proudly “old school” about cybersecurity. This means we still value the basics, like firewalls, IDS, proxies and DNS-layer security — and our team is especially knowledgeable about their associated best practices and tools.

Our specialty is cyber threat intelligence which means we dedicate all our resources to making sure it is of the highest quality possible. Our feeds are not filled with randomly scraped or unverified indicators because we value quality over quantity. In short, we believe a security team and its tools can only be as good as the data they use.

To provide the context necessary for incident responders, threat hunters, analysts and researchers to “connect the dots,” we correlate our data with MITRE ATT&CK and the Malware Behavior Catalog (MBC), among other reputable sources. This adds valuable information about threat actors and TTPs. With these details and correlations, customers can better understand the types of threats encountered in their environment and how to detect and fight against them.

Malware Patrol offers feeds compatible with many of the industry’s most popular security tools and software so that our data can be easily utilized by any organization. These include Carbon Black, Cisco FirePOWER, MISP and SpamAssassin, to name a few. We also integrate with highly reputable threat intelligence platforms and security organizations, such as Threater, making our intelligence instantly accessible to their users. To further emphasize our promise of providing data compatible with our customers’ needs, we offer free feed customization and even build new feeds upon request. Our team loves a challenge!

How does Malware Patrol collect intelligence?

During our 16 years, we have built a large set of collection mechanisms. We have an extensive network of proprietary sensors and crawlers, spam traps, honeypots, sharing agreements, and community contributors. And for quality assurance purposes, we use both human and automatic review processes. The result of this work is our vast database of unique and historically rich – “intelligent” – threat data.

What makes Malware Patrol’s Threat Intelligence unique?

While the majority of our data comes from our own collection mechanisms, we also have a well-established user community that contributes data. These contributions add a variety and depth to our data set that cannot be gathered with automated tools alone. It takes a village to fight cybercrime.

Another aspect of our data’s uniqueness is that we monitor and verify each indicator every day to ensure that it is timely, high-confidence, actionable, low-noise, and all the other buzzwords used to describe quality threat intelligence. Given that we emphasize the freshness of our data, it only makes sense to allow our customers to access it without restrictions. The following apply to Malware Patrol’s intelligence:

  • DNS names resolved 4-6 times a day
  • Newly discovered URLs processed within an hour
  • Feeds updated hourly
  • Unlimited downloads

What types of threats will Malware Patrol protect customers from?

Malware Patrol provides commercial intelligence related to a variety of threats, including malware, ransomware, phishing, sites featuring cryptomining scripts, C2s, DGAs, Tor exit nodes, DoH servers and newly registered domains. For Bandura customers, we have created two offerings:

1) Essentials is an IP-level deny list that includes addresses associated with malware, ransomware, C2 servers, and Domain Generation Algorithm (DGA) infrastructure. It will allow users to block IPs associated with malware and ransomware, as well as their command-and-control structures, C2s and DGA domains. Not only does this feed allow customers to block access to IPs associated with over a 100 malware and ransomware families, but it also prevents communication with their control systems. Once contacted, the C2s and DGA domains allow attackers to download additional malicious payloads, move laterally inside a network and exfiltrate data.

2) Enterprise is both an IPv4 and Domain Deny List and includes an expanded set of indicators. It has IP and domains associated with malware, ransomware, C2 servers, DGA infrastructure, phishing, DNS-over-HTTPs (DoH) resolvers, and Tor exit nodes. The feed also includes domains associated with cryptominers.

Can you highlight difference between Malware Patrol Essentials and Malware Patrol Enterprise

There are two main differences between Malware Patrol Essentials and Enterprise: 1) In addition to providing protection against malware, ransomware, C2s and DGAs, our Enterprise package includes four additional threat types: phishing, DNS-over-HTTPS (DoH) servers, Tor exit nodes and cryptominers and 2) Essentials provides the IP, while Enterprise has both IPs and domains. Having the domain gives customers the ability to block on a more granular level.

What’s One Interesting Attack/Threat Trend You Are Seeing?

This past quarter (Q2 2021) our C2s feed grew at a much more rapid pace than usual. This activity means that data exfiltration, multi-stage attacks and lateral movement are afoot! In particular, we have indicators for at least two malware families that use DoH to make connections with C2 servers: FluBot (aka: Cabassous, FakeChat) and PsiXBot which uses Google’s DoH service. Monitoring traffic through HTTPS endpoints is a must to detect potential communications using DoH. Of equal concern among the C2s we’ve been tracking, there has been an uptick in malware that uses Tor to obfuscate C2 communications. Protecting against this kind of malware requires close monitoring and analysis of traffic to and from public Tor entry and exit nodes.

Hope you enjoyed learning more about Malware Patrol! And in case you didn’t get to see it live, you can watch a recording of our joint webinar to hear Bandura CRO Todd Weller and Malware Patrol Marketing & Sales Manager Leslie Dawn walk through our partnership.

Want to learn more about Threater Cyber Intelligence Marketplace? You can read our blog, watch our webinar, or read our FAQ to get all the details. And stay tuned to dig in & learn about another partner next week! We have Bambenek on August 5th at 1pm EDT and Cyjax on August 12th at 1pm EDT. Don’t forget to register!