CSIRT-IE Sinkhole Events Report.
Description
This report identifies hosts reported to have attempted to establish a connection with a non Hypertext Transfer Protocol (HTTP) sinkhole.
Sinkholing is a technique for manipulating data flow in a network, where the network traffic is redirected from its intended destination to a controlled environment, such as a server which is referred to as a sinkhole.
The technique can be used maliciously to steer legitmate network traffic away from its intended recipient, or proactively, to defend a network from attack by steering illegitmate network traffic away from its intended target, and finally as a tool for research that allows cyber security experts to isolate and analyse illegitmate and malicious network traffic.
llegitimate or malicious network traffic can be identified by various characteristics, such as the source IP address, packet anomalies, and traffic patterns.
A sinkhole is a tool used in network management, research, and threat analysis.
Utilization
Sinkholes are used by Law enforcement agencies during the takedown of large-scale enterprises operated by Organised Crime Groups (OCGs) engaged in cyber crime together with their infrastructure which may comprise of electronic and digitally based technology such as a botnet. Information from these sinkholes are provided to National CSIRTs in order to maximise the remediation efforts.
Problem
Sinkhole Events Report - List of Malware Infections.
Note: The Shadowserver Foundation has included in the 'Infection' column of their report, a list of Malware infections, associated with the various hosts identified in the report.
1. List of Malware Infections contained in the Report.
| No. | Malware | Type of Infection | malpedia Link |
|---|---|---|---|
| 1. | adload. | Potentially Unwanted Application/Adware. | malpedia - adload |
| 2. | Bumblebee. | malware. | malpedia - bumblebee |
| 3. | likely-rat-adwind. | Remote Administration Tool (RAT). | malpedia - AdWind |
| 4. | likely-rat-im. | Remote Administration Tool (RAT). | Check Point - RAT |
| 5. | likely-rat-netwire. | Remote Administration Tool (RAT). | malpedia - NetWire RC |
| 6. | likely-rat-orcus. | Remote Administration Tool (RAT). | malpedia - Orcus - RAT |
| 7. | likely-rat-remcos. | Remote Administration Tool (RAT). | malpedia - Remcos |
| 8. | likely-rat-wsremcos. | Remote Administration Tool (RAT). | malpedia - Remcos |
| 9. | likely-rat-wsh. | Remote Administration Tool (RAT). | malpedia - WSHRAT |
| 10. | PseudoManuscrypt. | Spyware. | malpedia - PseudoManuscrypt |
2. List of Botnets Infections contained in the Report.
Botnet infrastructure are comprised of a network of devices, known as 'bots', which are infected with a type of malware that provides malicious actors with unauthorised remote access. A functioning botnet can be used for a variety of purposes, including malware delivery, distributed denial of service (DDoS) attacks, or routing nefarious Internet traffic.
| No. | Name | Description |
|---|---|---|
| 1. | android.badbox2 | The BADBOX Botnet was identified in 2023, and primarily consisted of Android operating system devices that were compromised with backdoor malware prior to purchase. BADBOX 2.0, in addition to compromising devices prior to purchase, can also infect devices by requiring the download of malicious apps from unofficial marketplaces. The BADBOX 2.0 botnet consists of millions of infected devices and maintains numerous backdoors to proxy services that cyber criminal actors exploit by either selling or providing free access to compromised home networks to be used for various criminal activity. The German government seized and sinkholed the botnet's command-and-control servers in December 2024, and in March 2025, Human Security's Satori researchers disclosed details about the Badbox 2.0 operation. Since then, Shadowserver has sinkholed nearly 3 million Badboxes, rerouting the malicious traffic to its infrastructure instead of the criminal's servers. |
| 2. | Android.Vo1d2 | The Anroid.Vo1d botnet is a multi-purpose cybercrime tool that turns compromised devices into proxy servers to facilitate illegal operations. The malware has specific plugins that automate ad interactions and simulate human-like browsing behavior, as well as the Mzmess SDK, which distributes fraud tasks to different bots. Infected devices relay malicious traffic for the cyber criminal actors, hiding the origin of their activity and blending in with residential network traffic. This also helps the threat actors bypass regional restrictions, security filtering, and other protections. Vo1d is an ad fraud, faking user interactions by simulating clicks on ads or views on video platforms to generate revenue for fraudulent advertisers. Android.Vo1d2 appears to be a version of the Android.Vo1d1 that has evolved. |
| 3. | Kelihos.E | Kelihos, a type of malware that operates as a botnet, primarily used for spamming and spreading other malware. Kelihos infects computers, turning them into "bots" that can be controlled remotely by attackers to send spam emails, steal information, or even install other malicious software. |
| 4. | raptor-train | The Raptor Train botnet uses the Mirai family of malware, designed to hijack IoT devices such as webcams, DVRs, IP cameras, and routers running Linux-based operating systems. The Mirai source code was posted publicly on the Internet in 2016, resulting in other hackers creating their own botnets based on the malware. Since that time, various Mirai botnets have been used to conduct DDoS and other malicious activities against third parites. The Botnet customised Mirai malware is a component of a system that automates the compromise of a variety of devices. To recruit a new “bot,” the botnet system first compromises an Internet-connected device using one of a variety of known vulnerability exploits. (i.e. CVEs). Post-compromise, the victim device executes a Mirai-based malware payload from a remote server. Once executed, the payload starts processes on the device to establish a connection with a command-and-control (C2) server using Transport Layer Security (TLS) on port 443. The processes gather system information from the infected device, including but not limited to the operating system version and processor, memory and bandwidth details to send to the C2 server for enumeration purposes. The malware also makes requests to “c.speedtest.net,” likely to gather additional Internet connection details. Some malware payloads were self-deleting to evade detection. The Botnet is believed to have infected over 250,000 Internet of Things (IoT) devices worldwide. The FBI and Microsoft Threat Intelligence have attributed the development and control of the botnet to a China-based group of hackers known as 'Flax Typhoon'. On the 18 Sep 2024, The U.S. Department of Justice announced a court authorised law enforcement operation to disrupt the botnet. | 5. | VPNFilter | The VPNFilter malware is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. The stage 1 malware persists through a reboot, which sets it apart from most other malware that targets internet-of-things devices because malware normally does not survive a reboot of the device. The main purpose of stage 1 is to gain a persistent foothold and enable the deployment of the stage 2 malware. Stage 1 utilizes multiple redundant command and control (C2) mechanisms to discover the IP address of the current stage 2 deployment server, making this malware extremely robust and capable of dealing with unpredictable C2 infrastructure changes. The stage 2 malware, which does not persist through a reboot, possesses capabilities expected in a intelligence-collection platform, such as file collection, command execution, data exfiltration and device management. However, some versions of stage 2 also possess a self-destruct capability that overwrites a critical portion of the device's firmware and reboots the device, rendering it unusable. It is believed that the malicious actor could deploy self-destruct commands to devices that it controls, regardless of whether the command is built into the stage 2 malware. In addition, there are multiple stage 3 modules that serve as plugins for the stage 2 malware. These plugins provide stage 2 with additional functionality. There are two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor. |
| 5. | 911 S5 | SOCKS5 proxies are commonly used to reroute internet traffic through a third-party server, allowing for anonymity and the ability to bypass geo-restrictions. The 911-socks5-proxy was a large-scale botnet primarily offering proxy services using IP addresses from infected devices. Cyber criminal actors could purchase these proxy services to make their online activities appear as if they originated from infected devices, thus concealing their digital footprints. They used these services to reroute their traffic through infected devices, hiding their true originating IP addresses and locations, and committing various crimes anonymously. The botnet spread by distributing VPN applications with built-in malware targeting Windows systems. These VPN applications were often embedded in pirated games or software, enticing victims to download them. Once downloaded and installed, the VPN and malware would silently install on the victim's device, making it part of the 911 S5 botnet. VPN applications connected to the 911 S5 service included: MaskVPN, DewVPN, PaladinVPN, ProxyGate, ShieldVPN, and ShineVPN. |
| 6. | non-authoritative-whois | A non-authoritative WHOIS response means the data is not coming directly from the source that manages the domain or IP address. Instead, it's a copy from a server that may not have the most up-to-date or complete information. |
Solution
Constituents are requested, on receipt of the Sinkhole Events Report, to conduct a thorough investigation of the hosts identified, to establish and confirm the facts. In the event that the host identified did attempt to establish a connection to the IP address of the sinkhole, This activity should be viewed as malicious and a threat. Appropriate precautions should then be taken to protect the computer and its data.
Removal of Malware Infections from a Computer.
Constituents are advised to take a holistic approach to the removal of malware from computers and devices. This involves a multi-layered strategy that addresses prevention, detection, and response, encompassing both technical and human elements. This approach aims to create a strong defense against malware by integrating various security measures and best practices across an organisation or system.
Guidlines for the removal of Malware Infections from a computer.
| No. | Action | Recommendations |
|---|---|---|
| 1. | Disconnect host from network. | It is recommended that the host identified in the report be disconnected from the network immediately, either by disconnecting the network cable or by turning off the Wi-Fi. This will prevent an attacker from accessing the device. |
| 2. | Reboot host in safe mode. | In Safe Mode, only essential system services are started. This will restrict the operation of any malware on the computer. During the Windows startup process, the F8 key is the designated short cut to access the Advanced Boot Options menu, which will allow users to boot into Safe Mode. |
| 3. | Investigate reported host. | It is recommended that the host identified in the report be investigated to establish and confirm the facts, access the computer logs to establish if the host attempted to establish a connection with the IP address of the sinkhole reported. |
| 4. | Security Event Logs. | For Windows operating systems, Investigate the DNS server logs and Windows Defender Firewall logs for DNS requests that resolve to the IP address of the sinkhole reported or to blocked malicious domains. For Linux operating systems, log files stored in /var/log should be investigated for similar activity. |
| 5. | Perform a full anti-virus scan. | It is recommended that a full anti-virus scan of the reported host, is performed to ensure the successful removal of any malware, and in particular of any Remote Administration Tool (RAT) malware that may have been inserted by malicious actors. The Windows Defender which is the built-in security feature in Windows operating systems is designed to protect against malware and other threats. Windows Defender, which is pre-installed, is automatically enabled on Windows 10 and 11. Microsoft continually updates the security intelligence in their Windows Defender Antivirus to cover the latest threats and to constantly tweak detection logic, enhancing its ability to accurately identify threats. |
| 6. | Reset all passwords. | It is recommended that after the completion of the Anti Virus Scan, that all passwords are reset, including passwords for e-mail accounts and in particular accounts in relation to financial services. It is recommended that two-factor authentication be enabled for added security. |
| 7. | Reinstall the operating system. | In the event that problems or doubts persist. Backup important data with a secure method. Ensure the backup does not contain infected files. Reinstall the operating system. |
| 8. | Security against future threats. | Ensure that the operating system and all software, included patches and updates released by the vendor are updated on a regularly basis. Use automatic updates from trusted providers when availabled. Pirated software should be avoided. Ensure that Anti-virus scans are also performed on a regularly basis and that the Anti-virus application used is kept uptodate with the newest virus definitions and security patches to detect and neutralise emerging malware. This is essential for maintaining robust protection against the latest cyber threats. |
| 9. | Monitor Reported Host. | It is recommended that the host identified in the report received is monitored, and continues to to be monitored to ensure the prevention of any future infection or recurrence. |
| 10. | DNS Firewall. | A DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats (APTs). This is a DNS service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, preventing data exfiltration. |
Guidlines for the removal of Bot malware from IoT devices.
Constituents are encouraged to update and secure their devices particularly older devices, to prevent the devices from being compromised by bot malware.
| No. | Action | Recommendations |
|---|---|---|
| 1. | Software Updates. | Apply software patches and updates regularly, Use automatic updates from trusted providers when available. |
| 2. | Disable Unused Ports. | Disable unused services and ports, such as automatic configuration, remote access, or file sharing protocols, which may be abused by malicious actors to gain initial access or to spread malware to other networked devices. |
| 3. | Replace Default Password. | Replace default passwords with strong passwords. |
| 4. | Implement Network Segmentation. | To minimize the risks associated with IoT devices in a larger network, implement network segmentation and apply the principle of least privilege. This involves creating isolated network segments or separate zones for IoT devices, sensitive data, and critical infrastructure restricting their access to only the resources necessary for their functions. |
| 5. | Monitor Network Traffic. | Monitor for high network traffic or unusual activity to detect and mitigate DDoS incidents. |
| 6. | Reboot Devices. | Plan for device reboots to remove non-persistent malware. |
| 7. | Replace End-of-Life Devices. | Replace end-of-life equipment with supported devices. |
| 8. | DNS Firewall. | A DNS Firewall is an optimal policy enforcement point for DNS-specific protection from malware and advanced persistent threats (APTs). This is a DNS service that utilises Response Policy Zones (RPZs) with a threat intelligence (malware feed) service to protect against malware and APTs by disrupting the ability of infected devices to communicate with command-and-control (C&C) sites and botnets, preventing data exfiltration. |
Additional Information
Shadowserver Foundation - Sinkhole Events Report.FBI - Alert Number: I-060525-PSA June 5, 2025 Home Internet Connected Devices Facilitate Criminal Activity
Vo1d rising: inside the botnet controlling 1.68 M+ Android TVs worldwide
Microsoft - adload.
kaspersky - Adwind: Malware-as-a-Service Platform.
Malwaretech - The Kelihos Botnet.
Microsoft - I had an RAT on my PC but I'm not sure I got rid of it.