Connections to IP-API/IPINFO
We have quite a bit of machines reaching out to sites like IP-API.com or IPINFO.io. Both look like legit sites and many devices we sampled were things like iPhones or Android phones. There were, however several windows machines reaching out too. It could be legit traffic, but we're wondering if it could be communicating out for nefarious purposes too.
We cleaned up a bad emotet outbreak but we have been recently DDoS attacked. We're just afraid that these connections are trying to communicate these changes somewhere. We've blocked connections to those sites on our filter and in the firewall, but we were curious if anyone else had seen this, especially related to any virus or other intrusion method anyone may have seen before.