Malicious Code

This category comprises all sorts of malicious code, including infected devices as well as e.g. command and control (C2) servers.

Emotet

Description

Emotet[0] is an advanced, dangerous, and as of 2021 very active malware which primarily spreads via email, using malicious links or attachements. One reason for Emotet's success is its ability to take over legitimate email conversations which leads to very convincing spam emails, fooling even cautious users. As soon as Emotet has infected a system it steals emails and contacts (i.e. uploads them to it's servers) and uses them to forge the aforementioned spam emails.

An often overlooked, but particularly nasty effect of this process is the fact that even after removing Emotet from an infected system, the spamming against one's contacts will likely continue. This can result in considerable reputational damage, especially for companies whose conversations are used to spam business partners or customers.

Risks

  • Loading of additional malware: After stealing emails and contacts, Emotet usually loads additional malware, which in many cases is ransomware. Ransomware is a strain of malicious software which encrypts a system or network and demands a ransom from victims for decryption. The ransom demands are based on the assumed turnover of the victim and often amount to tens of thousands of Dollars and more.
  • Reputational damage and resulting financial losses

Mitigation

  • Before starting any mitigation process, make sure that you've identified all infected systems in your network(s). Otherwise the malware will most likely start spreading again in no time.
  • If possible, CERT.at recommends to reinstall the operating system and restore the data from a known good backup. If there are no (good) backups available it is also possible to clean the PC using anti-malware software. However, as anti-malware authors and malware authors are in a constant cat-and-mouse game this method is less reliable. Don't hesitate to seek help from professionals if you are unsure whether you can handle the task.

[0]: https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet

Sandbox URL

If you received a notification about "Sandbox-URL"s this tells you that malware running in sandboxes of the shadowserver project tried to access these URLs. This indicates that criminals have uploaded files to these URLs which the malware now tries to download. In many cases this contains more malicious code.

Sinkhole HTTP Drone

Description

The Sinkhole-HTTP-Drone feed from shadowserver indicates that your system is very likely infected with malware. They make use of the fact that a lot of malware communicates with a so-called Command & Control (C2) server to receive commands, download files, upload files, etc. If the name of the C2 server is stored as a URL in the malware, it has to be mapped to an IP address before communication can begin. This is accomplished using the DNS (Domain Name System) and here shadowserver can interfere. They set up a DNS server which responds to the query with an IP address that is under their control and not the one of the C2 server. Thus, any connection attempts to this IP address originate from infected clients with high probability.

Risks

  • Depending on the malware. Common actions are stealing passwords, account data (banks, email, social media,...), browser histories, etc., abusing the infected machine to send spam or use it to infect other computers.

Mitigation

  • Also depending on the malware. If possible, CERT.at recommends to reinstall the operating system and restore the data from a known good backup. If there are no (good) backups available it is also possible to clean the PC using anti-malware software. However, as anti-malware authors and malware authors are in a constant cat-and-mouse game this method is less reliable. Don't hesitate to seek help from professionals if you are unsure whether you can handle the task.