Este informe contiene eventos (conexiones) a sumideros HTTP que llegaron a través de un Referer HTTP. El sikhole es una técnica mediante la cual un recurso utilizado por actores maliciosos para controlar el malware se toma y se redirige a un oyente benigno que puede (en diversos grados) comprender las conexiones provenientes de dispositivos infectados.
Dado que solo se accede a un servidor de sumidero a través de nombres de dominio previamente maliciosos, en esta lista solo se deben ver los sistemas infectados o los investigadores de seguridad. Sin embargo, los sumideros también pueden detectar rastreadores web que solicitan dominios maliciosos.
Nombres de archivo: event4_sinkhole_http_referer y event6_sinkhole_http_referer
La lista de infecciones observadas y compartidas es la siguiente:
andromeda-b66
beebone
boaxxe
calypso
caphaw
cobaltstrike
comment
cve-2009-4324
dltminer
downadup
emissary-panda
enfal-apt
ghost-push
goldmax
iframe exploit
infy-apt
jdk-update-apt
kovter
machbot
machete-apt
necurs
sality
sality_old
sality2
shadowpad
skunkx
spyeye
sunburst
sykipot-apt
threatneedle
tick
tinba
tonto-team
torpig
tsifiri
unityminer
unknown-apt
vpnfilter
winnti
xcodeghost
yash rat
yzf
zeus
CAMPOS
timestamp | Marca de tiempo cuando se vio la IP en UTC+0 |
protocol | Tipo de paquete del tráfico de conexión (UDP/TCP) |
http_referer_ip | IP del referente HTTP |
http_referer_asn | ASN de la IP del referente HTTP |
http_referer_geo | País de la IP del referente HTTP |
http_referer_region | Región de la IP del referente HTTP |
http_referer_city | Ciudad de la IP del referente HTTP |
http_referer_hostname | DNS inverso del referente HTTP |
http_referer_naics | Código del sistema de clasificación de la industria de América del Norte |
http_referer_sector | Sector al que pertenece la PI en cuestión; por ejemplo, Comunicaciones, Comercial |
dst_ip | IP de destino |
dst_port | Puerto de destino de la conexión IP |
dst_asn | ASN de la IP de destino |
dst_geo | País de la IP de destino |
dst_region | Región de la IP de destino |
dst_city | Ciudad de la IP de destino |
dst_hostname | DNS inverso de la IP de destino |
dst_naics | Código del sistema de clasificación de la industria de América del Norte |
dst_sector | Sector al que pertenece la PI en cuestión; por ejemplo, Comunicaciones, Comercial |
public_source | Fuente de los datos del evento |
infection | Descripción del malware/infección |
family | Familia de malware o campaña asociada con el evento |
tag | Atributos de eventos |
application | Nombre de la aplicación asociada al evento |
version | Versión de software asociada al evento |
event_id | Identificador único asignado a la IP de origen o al evento |
http_url | Solicitud HTTP |
http_host | Host HTTP extraído de la URL |
http_referer | Contenido del referente HTTP |
EJEMPLO
"timestamp","protocol","http_referer_ip","http_referer_port","http_referer_asn","http_referer_geo","http_referer_region","http_referer_city","http_referer_hostname","http_referer_naics","http_referer_sector","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","http_url","http_host","http_referer"
"2021-03-04 00:00:02","tcp","178.162.203.211",80,28753,"DE","HESSEN","FRANKFURT AM MAIN","12106.mobapptrack.com",518210,"Communications, Service Provider, and Hosting Service","85.17.31.82",80,60781,"NL","NOORD-HOLLAND","AMSTERDAM",,518210,"Communications, Service Provider, and Hosting Service",,,"kovter","kovter",,,1614816002,"GET /favicon.ico HTTP/1.1","12106.mobapptrack.com","http://12106.mobapptrack.com/click/redirect?feed_id=12106&sub_id=7&q=8A5491983C8FBE7743E2D2C36E45EBC4-18307118D2626C9BD756B3F09D14BB910E381EE4"
"2021-03-04 00:00:11","tcp","59.106.x.x",80,9370,"JP","OSAKA","OSAKA","x.noizm.com",518210,"Communications, Service Provider, and Hosting Service","178.162.x.x",80,28753,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service",,,"sunburst","sunburst",,,1614816011,"GET /animalally.com HTTP/1.1","freescanonline.com","http://x.noizm.com/jump.php?u=http://freescanonline.com/animalally.com"
"2021-03-04 00:00:12","tcp","142.250.x.x",80,15169,"US","CALIFORNIA","MOUNTAIN VIEW","x.blogspot.com",519130,"Communications, Service Provider, and Hosting Service","178.162.x.x",80,28753,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service",,,"kovter","kovter",,,1614816012,"GET /getjs?r=0.6393021999392658 HTTP/1.1","rxrtb.bid","http://x.blogspot.com/"
"2021-03-04 00:00:13","tcp","34.232.x.x",80,14618,"US","VIRGINIA","ASHBURN","www.example.com",454110,"Retail Trade","5.79.71.225",80,60781,"NL","NOORD-HOLLAND","AMSTERDAM",,518210,"Communications, Service Provider, and Hosting Service",,,"sunburst","sunburst",,,1614816013,"GET /personalationmall.com HTTP/1.1","freescanonline.com","http://www.example.com/teams/default.asp?u=EKL&t=c&s=lacrosse&p=remote&url=http://freescanonline.com/personalationmall.com"
"2021-03-04 00:01:26","tcp","210.172.x.x",80,2516,"JP","HOKKAIDO","SAPPORO","x.communes.jp",517312,"Communications, Service Provider, and Hosting Service","5.79.x.x",80,60781,"NL","NOORD-HOLLAND","AMSTERDAM",,518210,"Communications, Service Provider, and Hosting Service",,,"sunburst","sunburst",,,1614816086,"GET /raftcomply.com HTTP/1.1","freescanonline.com","http://x.communes.jp/?url=http://freescanonline.com/raftcomply.com"
Fuente: https://www.shadowserver.org/what-we-do/network-reporting/sinkhole-http-referer-events-report/