DESCRIPTION LAST UPDATED: 2023-12-07
DEFAULT SEVERITY LEVEL: CRITICAL
This report contains events (connections) to HTTP sinkholes that arrived via a HTTP Referer. Sinkholing is a technique whereby a resource used by malicious actors to control malware is taken over and redirected to a benign listener that can (to a varying degree) understand connections coming from infected devices.
Since a sinkhole server is only accessed through previously malicious domain names, only infected systems or security researchers should be seen in this list. However, the sinkholes may also pick up web crawlers requesting malicious domains.
Severity levels are described here.
This report can come in 2 versions, one for IPv4 only connections, the other for IPv6 only connections.
File names: event4_sinkhole_http_referer and event6_sinkhole_http_referer
As of March 30th 2021, the list of infections being observed and shared is as follows:
| andromeda-b66 |
| beebone |
| boaxxe |
| calypso |
| caphaw |
| cobaltstrike |
| comment |
| cve-2009-4324 |
| dltminer |
| downadup |
| emissary-panda |
| enfal-apt |
| ghost-push |
| goldmax |
| iframe exploit |
| infy-apt |
| jdk-update-apt |
| kovter |
| machbot |
| machete-apt |
| necurs |
| sality |
| sality_old |
| sality2 |
| shadowpad |
| skunkx |
| spyeye |
| sunburst |
| sykipot-apt |
| threatneedle |
| tick |
| tinba |
| tonto-team |
| torpig |
| tsifiri |
| unityminer |
| unknown-apt |
| vpnfilter |
| winnti |
| xcodeghost |
| yash rat |
| yzf |
| zeus |