Sinkhole HTTP Referer Events Report

This report contains events (connections) to HTTP sinkholes that arrived via a HTTP Referer. Sinkholing is a technique whereby a resource used by malicious actors to control malware is taken over and redirected to a benign listener that can (to a varying degree) understand connections coming from infected devices.

Since a sinkhole server is only accessed through previously malicious domain names, only infected systems or security researchers should be seen in this list. However, the sinkholes may also pick up web crawlers requesting malicious domains.

This report can come in 2 versions, one for IPv4 only connections, the other for IPv6 only connections.

File names: event4_sinkhole_http_referer and event6_sinkhole_http_referrer

As of March 30th, the list of infections being observed and shared is as follows:

andromeda-b66
beebone
boaxxe
calypso
caphaw
cobaltstrike
comment
cve-2009-4324
dltminer
downadup
emissary-panda
enfal-apt
ghost-push
goldmax
iframe exploit
infy-apt
jdk-update-apt
kovter
machbot
machete-apt
necurs
sality
sality_old
sality2
shadowpad
skunkx
spyeye
sunburst
sykipot-apt
threatneedle
tick
tinba
tonto-team
torpig
tsifiri
unityminer
unknown-apt
vpnfilter
winnti
xcodeghost
yash rat
yzf
zeus

Fields

  • timestamp
    Timestamp when the IP was seen in UTC+0
  • protocol
    Packet type of the connection traffic (UDP/TCP)
  • http_referer_ip
    IP of the HTTP referer
  • http_referer_asn
    ASN of the IP of the HTTP referer
  • http_referer_geo
    Country of the IP of the HTTP referer
  • http_referer_region
    Region of the IP of the HTTP referer
  • http_referer_city
    City of the IP of the HTTP referer
  • http_referer_hostname
    Reverse DNS of the HTTP referer
  • http_referer_naics
    North American Industry Classification System Code
  • http_referer_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • dst_ip
    Destination IP
  • dst_port
    Destination port of the IP connection
  • dst_asn
    ASN of the destination IP
  • dst_geo
    Country of the destination IP
  • dst_region
    Region of the destination IP
  • dst_city
    City of the destination IP
  • dst_hostname
    Reverse DNS of the destination IP
  • dst_naics
    North American Industry Classification System Code
  • dst_sector
    Sector to which the IP in question belongs; e.g. Communications, Commercial
  • public_source
    Source of the event data
  • infection
    Description of the malware/infection
  • family
    Malware family or campaign associated with the event
  • tag
    Event attributes
  • application
    Application name associated with the event
  • version
    Software version associated with the event
  • event_id
    Unique identifier assigned to the source IP or event
  • http_url
    HTTP request
  • http_host
    HTTP host extracted from the URL
  • http_referer
    Content of the HTTP referer

Sample

"timestamp","protocol","http_referer_ip","http_referer_port","http_referer_asn","http_referer_geo","http_referer_region","http_referer_city","http_referer_hostname","http_referer_naics","http_referer_sector","dst_ip","dst_port","dst_asn","dst_geo","dst_region","dst_city","dst_hostname","dst_naics","dst_sector","public_source","infection","family","tag","application","version","event_id","http_url","http_host","http_referer"
"2021-03-04 00:00:02","tcp","178.162.203.211",80,28753,"DE","HESSEN","FRANKFURT AM MAIN","12106.mobapptrack.com",518210,"Communications, Service Provider, and Hosting Service","85.17.31.82",80,60781,"NL","NOORD-HOLLAND","AMSTERDAM",,518210,"Communications, Service Provider, and Hosting Service",,,"kovter","kovter",,,1614816002,"GET /favicon.ico HTTP/1.1","12106.mobapptrack.com","http://12106.mobapptrack.com/click/redirect?feed_id=12106&sub_id=7&q=8A5491983C8FBE7743E2D2C36E45EBC4-18307118D2626C9BD756B3F09D14BB910E381EE4"
"2021-03-04 00:00:11","tcp","59.106.x.x",80,9370,"JP","OSAKA","OSAKA","x.noizm.com",518210,"Communications, Service Provider, and Hosting Service","178.162.x.x",80,28753,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service",,,"sunburst","sunburst",,,1614816011,"GET /animalally.com HTTP/1.1","freescanonline.com","http://x.noizm.com/jump.php?u=http://freescanonline.com/animalally.com"
"2021-03-04 00:00:12","tcp","142.250.x.x",80,15169,"US","CALIFORNIA","MOUNTAIN VIEW","x.blogspot.com",519130,"Communications, Service Provider, and Hosting Service","178.162.x.x",80,28753,"DE","HESSEN","FRANKFURT AM MAIN",,518210,"Communications, Service Provider, and Hosting Service",,,"kovter","kovter",,,1614816012,"GET /getjs?r=0.6393021999392658 HTTP/1.1","rxrtb.bid","http://x.blogspot.com/"
"2021-03-04 00:00:13","tcp","34.232.x.x",80,14618,"US","VIRGINIA","ASHBURN","www.example.com",454110,"Retail Trade","5.79.71.225",80,60781,"NL","NOORD-HOLLAND","AMSTERDAM",,518210,"Communications, Service Provider, and Hosting Service",,,"sunburst","sunburst",,,1614816013,"GET /personalationmall.com HTTP/1.1","freescanonline.com","http://www.example.com/teams/default.asp?u=EKL&t=c&s=lacrosse&p=remote&url=http://freescanonline.com/personalationmall.com"
"2021-03-04 00:01:26","tcp","210.172.x.x",80,2516,"JP","HOKKAIDO","SAPPORO","x.communes.jp",517312,"Communications, Service Provider, and Hosting Service","5.79.x.x",80,60781,"NL","NOORD-HOLLAND","AMSTERDAM",,518210,"Communications, Service Provider, and Hosting Service",,,"sunburst","sunburst",,,1614816086,"GET /raftcomply.com HTTP/1.1","freescanonline.com","http://x.communes.jp/?url=http://freescanonline.com/raftcomply.com"

Our 105 Report Types