Weird DNS queries to messager.xicp.net

Question

A DNS query for this domain (messager.xicp.net) was classified and detected as "Trojan.Generic.DNS" by the FireEye NX in our network.

So, I used both VirusTotal and abuseibdb sites to check this domain. It seems it's mapped to 127.0.0.1 (localhost) and when I ping this domain it pings my localhost IP. Could you explain this behavior?

I tried using viewDNS to trace route and I got this output:

traceroute to messager.xicp.net (127.0.0.1), 30 hops max, 60 byte packets 1 obfuscated.internal.network.com (0.0.0.0) 0.000 ms 0.000 ms 0.000 ms 2 obfuscated.internal.network.com (0.0.0.0) 1.000 ms 1.000 ms 1.000 m

Could you please explain this behavior, why it's mapped to 127.0.0.1 (It wasn't like this according to the results from VirusTotal as it was mapped to this IP 174.128.255.245 on 2018-04-11)

why this domain messager.xicp.net is mapped to localhost (127.0.0.1)?? Here's the most important point. Also, is there an IoC for this domain? @schroeder — ibr2, Nov 26 '19 at 08:13
Any domain-based IoCs will be listed on the sites you used to check it. — schroeder, Nov 26 '19 at 08:15
What you want to know is why *FireEye* flagged it. That's a question for the alert and their support. — schroeder, Nov 26 '19 at 08:16
@schroeder, No, I want to know why it's mapped to LocalHost? and why when I ping the domain (messager.xicp.net) from my PC it pings my localhost?? — ibr2, Nov 26 '19 at 08:19
@schroeder, thank you then, perhaps other people will comment or answer differently, let's wait and see. thanks for your contribution — ibr2, Nov 26 '19 at 08:25
@ibr2 have you set anything in the hosts file regarding that domain? Can you check the file? — Sir Muffington, Nov 26 '19 at 16:58
@SirMuffington, No, Nothing has changed. Also, it's even resolved to 127.0.0.1 in VirusTotal, so it global not local — ibr2, Nov 27 '19 at 23:54
@SirMuffington, I kinda get it, however, is it possible to do that?? — ibr2, Nov 29 '19 at 19:03
@ibr2 clearly it is. I can tell that it's even possible to set an A record to an arbitrary private IP address — Sir Muffington, Nov 30 '19 at 00:08

score 2 · Answer 1 · answered Nov 26 '19 at 08:06

Domains getting mapped to localhost is common when you want to route traffic destined to an external domain to the local machine first for proxying/inspecting/modification.

There are valid reasons for doing so, but it is also a method used by malware for malicious purposes.

score 1 · Answer 2 · answered Nov 26 '19 at 16:28

1

Subdomains under .xicp.net fallback to 127.0.0.1 unless otherwise configured. The parent domain is the main culprit here, and probably the reason why it was flagged. If you search virustotal for xicp.net you will get more informative results.

Also searching googe for .xicp.net returns many results where a subdomain has been used as a c2 server.

answered Nov 26 '19 at 16:28

Menzo Wijmenga

111
1

Great, however, I'd like to know why it's resolved to (127.0.0.1). Also, does it indicate that it's malicious? – ibr2 Nov 27 '19 at 23:56

Weird DNS queries to messager.xicp.net

2 Answers2

Linked