TH17109
Detected presence of files containing URLs that match known malware resource paths.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: malicious network references |
About the issueโ
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. Attackers often reuse URL paths and query parameters between malicious campaigns. That makes it possible to detect a malicious network resource through static URL composition analysis. Because the attackers frequently migrate to different domains, the rules that detect malicious URLs are typically designed to match paths on any domain. While presence of known malware resource paths in network references does not imply malicious intent, all instances of this issue should be put under scrutiny and thoroughly reviewed.
How to resolve the issueโ
- Investigate reported detections.
- If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
- You should delay the software release until the investigation is completed, or until the issue is risk accepted.
- Remove all references to flagged network locations.
Recommended readingโ
- Catching deceptive links before the phish (ReversingLabs blog)
- Static analysis (ReversingLabs glossary)