CapLoader 2.0.1 Released
This update resolves several minor bugs, but also brings better protocol identification and a new IP lookup alert to CapLoader.
Alert for IP lookup using ip-api.com in PCAP from tria.ge
Transcript of ip-api.com IP lookup traffic
IP lookup services, like ip-api, checkip.amazonaws.com and ident.me, aren’t malicious, but malware often use such services to find out what the public IP address is of an infected machine. As Tony Robinson points out, in his recent External IP Lookup Rules post, malware does so to check for internet connectivity and determine the country of the infected PC. But I’ve also observed a third reason, which is when the threat actor resolves the victim’s public IP to then query a DNSBL service and check the IP’s reputation. I believe the DNSBL lookup is performed to evaluate the success rate of sending spam, such as emails with malicious attachments or links, from the victim PC.
TrickBot performing a DNSBL lookup of client’s public IP
If you want to learn more about how TrickBot used DNSBL then read GoSecure’s TrickBot […] and Spamhaus blog post or sign up for one of my network forensics training sessions.
Improved Protocol Detection
The precision of CapLoaders built-in port independent protocol identification has been improved and a few additional protocols can now be detected, including Interlock RAT.
Bug Fixes
The following bugs fixes and feature updates are included in this release:
- Better handling of corrupt PCAP files
- Fixed periodicity measurement inconsistency for services with more than 100 flows
- Fixed parsing bug for duplicate QUIC packets
- Improved speed and reliability of auto-extract PCAP from selection
- ThreatFox API updated to use abuse.ch Auth-Key
Posted by Erik Hjelmvik on Tuesday, 01 July 2025 13:48:00 (UTC/GMT)
