Infoblox Threat Classification Guide

APT_EmdiviC2

EMDIVI as a trojan backdoor used in the targeting of Japanese government agencies, manufacturing, tech, and media companies.

http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor

APT_ExploitKit

An easily distributable pack that contains malicious programs that are used to execute 'drive-by download' attacks in order to infect users with malware. These kits are sold on an online black market and can be bought or rented for hundreds or thousands of dollars. These exploit kits target vulnerabilities in the users' machines (these vulnerabilities usually include unpatched versions of Java, Adobe Reader, Adobe Flash, and Internet Explorer) to load malware onto the users computer. Exploit kits share many of the same features and exploits across distributions.

http://www.securityweek.com/malware-injected-directly-processes-angler-exploit-kit-attack

APT_Generic

Advanced Persistent Threats (APT) typically are sophisticated, well organized and resourced teams of threat actors who carryout politically or economically motivated espionage. Unlike the financial gain sought by Persistent Criminal Enterprises (PCE) or Organized Crime Group (OCG), APT attacks often intend to steal information and secretly monitor activity for political motivations or comparative advantage through industrial espionage. APTs are often known for stealth tactics and long-running attacks. Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under a specific property.

http://searchsecurity.techtarget.com/definition/advanced-persistent-threat-APT

APT_MalwareC2

Machines infected with malware may reach out to remote servers to deliver data or receive additional instruction. C&C servers associated with advanced persistent threats (APTs) indicate those servers are related to an ongoing motivated attack against an entity and are relaying information to infected machines of the targeting organization.

APT_MalwareDownload

Malware associated with advanced persistent threats (APTs) indicates the malware is part of an ongoing politically motivated attack against an entity. The malware will compromise a machine in order to snoop for specific data and relay the information to a remote C&C server.

Bot_Bankpatch

Bankpatch, also known as Nadebanker, is a banking trojan infecting Microsoft Windows systems and operating around 2007-2009. The trojan injects code into multiple system DLLs then deletes itself. Once Internet Explorer is activated it may download additional functionality through Browser Helper Objects (BHO).

https://www.symantec.com/security_response/writeup.jsp?docid=2009-013015-1832-99

Bot_Citadel

The Citadel Trojan is a variant of the bank credential-stealing Zeus Trojan. Similar to the Police Trojan, the user is lured to a drive-by download site. Once the ransomware is installed, pop-up messages accusing the user of visiting child pornography and other illegal sites extort users to pay a fine with prepaid credit cards like Ukash or paysafecard. The message, supposedly from the Department of Justice (or other LEAS around the world), claims that paying this fine will unfreeze the user's computer.

http://www.scmagazine.com/citadel-trojan-uses-child-porn-scare-to-extort-cash/article/243606/

Bot_Cridex

Cridex is a banking Trojan which, like ZeuS, will harvest information gathered from web sessions. Cridex lures an unsuspecting user into downloading the Trojan through a seemingly legitimate email notification prompting them to click a link. Once a user is infected, the Trojan then is able to steal online banking and email account credentials, and is able to use the victim's online identity to complete browsing activities, including registering new email accounts which are later used to proliferate the Cridex bot.http://community.websense.com/blogs/securitylabs/archive/2012/01/30/trojan-caught-on-camera-shows-captcha-is-still-a-security-issue.aspx

Bot_DNSChanger

DNSChanger drives unsuspecting users to rely on the criminal's rogue DNS servers rather than its own standard DNS servers. This, in turn, gives the criminals the ability to drive the affected user's traffic to wherever the criminal desires. The criminals use the rogue name servers to direct traffic to advertisement sites to generate click-traffic that the criminals are paid for. These rogue DNS servers also prevent users from downloading system and anti-virus updates, making them more susceptible to other malware attacks. In late 2011, the FBI seized control of the DNSChanger infrastructure with the help of the security industry, and authorized the Internet Systems Consortium (ISC) to deploy and operate "clean" DNS servers until July 2012.http://www.fbi.gov/news/stories/2011/november/malware_110911

Bot_Dorkbot

This family of worms can steal your usernames and passwords by watching what you do online. They can also download other malware and stop you from visiting security-related websites. Some variants can use your PC in a denial of service (DoS) attack.

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Dorkbot

Bot_Generic

Malware designed to infect a host and connect back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or 'botnet.' With a botnet, attackers can launch broad-based, 'remote-control,' flood-type attacks against their target(s). Capability of bots can include the ability to log keystrokes, gather passwords, capture and analyze packets, gather financial information, launch DoS attacks, relay spam, and open back doors on the infected host. Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under a specific property.

Bot_Hajime

Hajime is an Internet of Things (IOT) bot that infects Linux-based systems. The malware mostly targets Internet accessible cameras and routers. Hajime bots could be easily used for DDoS attacks like Mirai. The malware infects the IoT devices by trying to remotely log in using a hard-coded dictionary of common factory default usernames and passwords.https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf

Bot_IoTroop

IoTroop (a.k. IoT Reaper) is a new botnet family targeting IoT devices. Unlike Mirai, which gains access by brute-forcing IoT devices default username/password, IoTroop exploits IoT devices vulnerabilities. According to netlab360 blog post, there are 4 components of the botnet: downloaded, controller, reporter, and loaders. However, from Checkpoint, the bot is self-propagating, which is more reasonable, and they have malicious traffic snapshot to back this up. An infected system contain a modified system file to open a reverse shell back to the C2 using netcat command. The infected devices also attack other vulnerable devices. Currently, there is no evidence of DDoS attacking activities originated from this botnet. According current information, I propose we should have 3 properties listed above. MalwareC2_Iotroop is command and control center which control and send infected devices (bot). MalwareDownload_Iotroop hosts binary sample for bot to download from. And Bot_Iotroop is the infected devices.

https://research.checkpoint.com/new-iot-botnet-storm-coming/

Bot_IPAvalanche

Avalanche uses spam email purporting to come from trusted organizations such as financial institutions or employment websites. Infoblox's Phishing Trends report for the second quarter of 2009 said that Avalanche "have detailed knowledge of commercial banking platforms, particularly treasury management systems and the Automated Clearing House (ACH) system. They are also performing successful real-time man-in-the-middle attacks that defeat two-factor security tokens".

http://en.wikipedia.org/wiki/Avalanche_%28phishing_group%29

Bot_IPFastFlux

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies. It can also refer to the combination of peer-to-peer networking, distributed command and control, web-based load balancing and proxy redirection used to make malware networks more resistant to discovery and counter-measures.

http://en.wikipedia.org/wiki/Fast_flux

Bot_Kol

Kol is a reverse-proxy service, which is used for "bullet-proof" hosting of criminal sites and malware C&C servers. A reverse-proxy seeks to hide hosted content's true location from observers by funneling requests for the content through an intermediary machine. In the past, infected machines acted as proxy servers between victims and the content, although recently there are indications that alternative proxy servers are being used. The primary concern regarding this threat is network traffic visiting sites hosted via Kol, as it might indicate, for instance, that the machine may be infected with another malware family.

Bot_Mirai

A Internet of Things (IOT) bot that infects Linux-based systems. The malware mostly targets Internet accessible cameras and routers. The Mirai botnet has been used in some highly disruptive DDoD attacks that have brought down service providers like OVH and Dyn DNS. The malware infects the IoT devices by trying to remotely log in using a hard-coded dictionary of common factory default usernames and passwords.

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

Bot_Multigrain

MULTIGRAIN is a variant of the NewPosThings specifically modified to to target hosts running the backend point of sale process, multi.exe. Once installed, the malware scrapes memory for credit card account number, expiry date, etc. The data is 1024-bit RSA encrypted and sent via DNS at five-minute intervals.

https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html

Bot_Node

A a single infected connecting back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or 'botnet.'http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html#7

Bot_OSXFlashBack

The Flashback Trojan is unique in that it targets Mac OS X exclusively. The attack downloads an executable file through an exploit in Java, and the file is used to download the malicious payload. Users encounter a prompt to enter their administrative password, though Flashback is installed regardless of whether the password is entered. The Flashback Trojan is currently being used for click fraud, but could easily be updated in the future to access banking or other sensitive information.

http://securitywatch.pcmag.com/apple/296278-apple-patches-java-flaw-exploited-by-flashback-trojan

Bot_Pushdo

Cutwail, otherwise known as Pushdo, is a spamming botnet that sends a wide range of campaigns promoting fake pharmaceuticals, designer rip-offs, pirated software, fake ACH notifications, fake Facebook friend requests, fake airline ticket confirmations, as well as other scams. It also sends spam emails with malicious attachments, usually within a Zip file. Cutwail is a spamming engine that lures users to malicious or compromised web sites, triggering a series of exploits that injects the Pushdo Trojan into the user's PC memory.http://www.techrepublic.com/blog/security/pushdocutwail-botnet-second-to-none-when-it-comes-to-spamming/1637

Bot_Ransomware

Ransomware is a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

https://en.wikipedia.org/wiki/Ransomware

Bot_Sality

Sality is one of the longest lived botnets and has been targeting Microsoft Windows systems since 2003. Sality is polymorphic trojan downloader which employs rootkit capabilities, and peer-to-peer command and control. The botnet has been capable of spambot, DNS changer, password stealing and other activities.

https://en.wikipedia.org/wiki/Sality

Bot_TDSS

TDL-4 is a highly sophisticated piece of malware that enables the creation and management of a botnet. The TDL-4 botnet is primarily used to commit click fraud. To avoid detection and remediation, TDL-4 encrypts the communication protocol between bots and the botnet command and control (C&C) servers, and attempts to ensure that a viable line of communication to infected computers remains intact should the botnet control centers be shut down.

http://searchsecurity.techtarget.com/definition/TDL-4-TDSS-or-Alureon

Bot_Virut

Virut is a malware botnet that is known to be used for cybercrime activities such as DDoS attacks, spam (in collaboration with the Waledac botnet), fraud, data theft, and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites)

http://en.wikipedia.org/wiki/Virut

Bot_Yahos

Yahos is a computer worm that infects machines connected to the LAN that the infected machine is currently on. The worm is distributed through the Facebook platform. Once infected, the Yahos worm continues to affect other machines on the network and enables them to remotely connect. Yahos also steals sensitive information.

Bot_ZeroAccess

Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, download more malware, and open a back door on the compromised computer. The primary motivation of this threat is to make money through pay per click advertising. It does this by downloading an application that conducts Web searches and clicks on the results. The threat is also capable of downloading other threats on to the compromised computer, some of which may be Misleading Applications that display bogus information about threats found on the computer and scare the user into purchasing fake antivirus software to remove the bogus threats. It is also capable of downloading updates of itself to improve and/or fix functionality of the threat.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

Bot_ZeusP2P

The ZeuS P2P Trojan is a variant of ZeuS which has eliminated the need for a static command and control (C&C) server for its directions and updates, and instead utilizes peer-to-peer (P2P) to get that same information. Utilizing P2P allows the botmasters to use other infected PCs to distribute updated ZeuS software and commands to their bots, eliminating the need for a central C&C server and making it more difficult for security researchers to find and disable the botnet. There is still a C&C server, but it does not necessarily use a static domain and can change frequently by sending the bots an updated configuration file.

http://threatpost.com/en_us/blogs/p2p-version-zeus-botnet-appears-101111

CompromisedDomain_ExploitKit

Includes domains running malicious software designed to exploit vulnerabilities in programs running on systems which visit the domain. Also see the description for Exloitkit_Generic

CompromisedDomain_Generic

A compromised domain is one which Exhibits behavior indicating the domain has been taken over and threat actors are using hosts or services belonging to that domain for activities other than those intended by the owner or administrator. May include techniques such as domain hijacking or domain shadowing. Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under a specific property.

CompromisedDomain_SittingDucks

Domain has been hijacked using a Sitting Ducks attack at an authoritative DNS or web hosting provider. This attack takes advantage of lame name server delegation and exploitable DNS providers.

CompromisedHost_BotNode

A a single infected connecting back to a central server or servers that act as a command and control (C&C) center for an entire network of compromised devices, or 'botnet.'http://www.cisco.com/c/en/us/about/security-center/virus-differences.html#7

CompromisedHost_Generic

The host or system exhibited behavior indicating it was taken over and threat actors are using it for activities other than those intended by the owner or administrator. Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under a specific property.

CompromisedHost_PeerToPeer

The host appears to be taken over and is operating as a member of a suspicious peer-to-peer (P2P) network. P2P botnets have a decentralized command and control by maintaining a list of trusted computers, dropsites, and other means where instructions may be passed and malware updated.

http://www.malwaretech.com/2013/12/peer-to-peer-botnets-for-beginners.html

CompromisedHost_Spambot

The host or system has been infected with malware designed to collect e-mail addresses from various sources and send unsolicited e-mail, also known as spam.

https://en.wikipedia.org/wiki/Spambot

CompromisedHost_SURBLcr

SURBL Cracked sites: This list contains data from multiple sources that cover cracked sites. Criminals steal credentials or abuse vulnerabilities in CMS such as Wordpress or Joomla to break into websites and add malicious content. Often cracked pages will redirect to spam sites or to other cracked sites. Cracked sites usually still contain the original legitimate content and may still be mentioned in legitimate emails, besides the malicious pages referenced in spam.

http://www.surbl.org/lists#cr

Cryptocurrency_Coinhive

Coinhive is a service that allows site owners to embed cryptocurrency mining software into their webpages as a replacement to normal advertising. However it is often used in conjunction with normal advertisements without the visitor's consent. The likelihood for these to be used in an attack leads to a default threat level of HIGH (100).

https://krebsonsecurity.com/2018/03/who-and-what-is-coinhive/

Cryptocurrency_Cryptojacking

Cryptojacking is the process of using a computer to mine for cryptocurrency without the owner’s consent. Online services such as Coinhive, CoinIMP, GridCash, and others offer browser-based cryptocurrency mining as a replacement to advertisements. However they are often used in addition to ads without the user’s consent. The likelihood for these to be used in an attack leads to a default threat level of HIGH (100).

https://hackerbits.com/programming/what-is-cryptojacking/

Cryptocurrency_Exchange

Cryptocurrency exchanges, also known as digital currency exchanges, allow users to trade cryptocurrencies for traditional currencies, and/or other cryptocurrencies. Default threat level is MEDIUM (80) since it is possible for threat actors to utilize them for attacks.

https://en.wikipedia.org/wiki/Cryptocurrency_exchange

Cryptocurrency_Generic

Cryptocurrencies are digital currencies that use cryptography to secure transactions. Cryptocurrencies make use of a decentralized control scheme, unlike financial institutions such as banks. From a user perspective, mining for cryptocurrencies can require large amounts of computing power, slowing hosts and increasing power costs. There is some potential for these to be used by threat actors to perpetrate attacks. Default threat level is LOW (50).

https://en.wikipedia.org/wiki/Cryptocurrency

Cryptocurrency_GenericThreat

Cryptocurrencies allow malicious actors to perform illegal and/or fraudulent activities such as human trafficking, black market sales purchases, ransomware payments, etc. Cryptocurrencies are used because transactions that involve them are hard to track and do not involve banks or other financial institutions. From a user perspective, mining for cryptocurrencies can require large amounts of computing power, slowing hosts and increasing power costs. The likelihood for these to be used in an attack leads to a default threat level of HIGH (100).

https://thehackernews.com/2018/02/cryptocurrency-mining-threat.html

Cryptocurrency_MiningPool

A cryptocurrency mining pool is a collection of hosts working together to mine cryptocurrency. When the group successfully mines a coin, workers in the group are paid out a portion of the earnings. Default threat level is MEDIUM (80) since it is possible for threat actors to utilize them for attacks.

https://en.wikipedia.org/wiki/Mining_pool

DDoS_Destination

The destination of a DDoS is the target receiving the traffic in order to disrupt service. This is typically the IP address of the targeted server.

DDoS_Generic

A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. The major advantages to an attacker of using a distributed denial-of-service attack are that: multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track and shut down. Because the threat landscape is constantly changing, new threat classifications and properties are routinely added to classify indicators that don't fall under any of the following specific properties.

http://en.wikipedia.org/wiki/Denial-of-service_attack

DDoS_SlowDrip

A specific form of DNS-based DDoS, Slow Drip attacks create a resource exhaustion on DNS authoritative servers.https://www.securitynow.com/author.asp?section_id=613&doc_id=735737

DDoS_Source

The source of a distributed denial of service (DDoS) is the location or IP address traffic is coming from. This is typically a compromised system that has been instructed to target a remote system to send large amounts of data to disrupt services.

DNSTunnel_DNScat2

DNScat2 (

https://github.com/iagox86/dnscat2

) is open source software deployed by users on their own network infrastructure. They state that they can be used for 'encrypted command-and-control'.

DNSTunnel_Generic

A domain participating in tunneling is obfuscating DNS queries generally for the purpose of hiding communication. The query or response record pattern is usually larger in size than typical DNS queries, often containing encrypted information. There are many publicly available resources for creating a tunnel in a network.

DNSTunnel_Iodine

Iodine (

https://github.com/yarrick/iodine

) is open source software deployed by users on their own network infrastructure.

DNSTunnel_Safe

Non-threat indicators that communicate information necessary for their service, including potentially sensitive information about the end user or device that is encrypted or highly obfuscated. The application is using DNS to communicate information or instructions with a remote server in order to deliver service to the end user. These applications are not inherently malicious, but may include services that bypass local restrictions for internet use and the customer may wish to block them. Common services in this set include parental block, anti-virus services, and honeypots. Inclusion in this set implies that the service itself is well-known and established; it does not imply that an actor cannot compromise the service and use it for illicit tunneling. This data set is not intended to be exhaustive.

DNSTunnel_TunnelGuru

Tunnel Guru is a service that provides a common tool and network infrastructure for their customers to tunnel their network traffic.

DNSTunnel_YourFreedom

Your Freedom (

https://www.your-freedom.net/index.php?id=dns-tunneling

) provides a common tool and network infrastructure for their customers to tunnel their network traffic.

ExploitKit_Angler

The Angler exploit kit injects malware into the web browser process by using a Trojan to disable existing security products and downloads other threats, such as information stealing malware onto the infected system. This exploit delivers a payload that never touches the hard drive and remains active in memory until the injected process is terminated or the computer is restarted.

http://www.securityweek.com/malware-injected-directly-processes-angler-exploit-kit-attack

ExploitKit_Archie

A basic Exploit Kit relying on Metasploit Framework for its exploit modules. The Archie landing page uses the PluginDetect Javascript library to detect the version of Flash, Silverlight or Acrobat Reader.

http://www.informationsecuritybuzz.com/news/new-exploit-kit-archie-explained/

ExploitKit_Astrum

Web based malware exploiting vulnerabilities in Flash, Reader, IE and Silverlight.malware.dontneedcoffee.com/2014/09/astrum-ek.html

ExploitKit_Blackhole

The BlackHole Exploit Kit is one of the most popular customizable kits that is available for purchase or rental in the criminal underground. Typically, a user visits a legitimate (but compromised) website by clicking on a link or attachment in a spoofed email. The user would be able to view this hacked site, with no external sign that they are being redirected to the BlackHole Exploit site. The exploit takes advantage of unpatched vulnerabilities in the user's web browser to silently download malware (aka "drive-by download") to the user's computer. Kit operators can specify different payloads or kit behavior based on a variety of factors, such as the operating system in use, or the location of the victim.

ExploitKit_CottonCastle

CottonCastle is not a widely used exploit kit. It was seen in 2014 targeting primarily hosts from Russia and Ukraine and deployed Flash, Java and Internet Explorer exploits. One payload that was observed to be delivered is Corkow, a banking Trojan which has features that suggest the targeting of financial professionals and enterprises.

http://malware.dontneedcoffee.com/2014/06/cottoncastle.html

ExploitKit_DotkaChef

Dotkachef is usually associated with malvertising. A redirect will be inserted into a legitimate advertising network that redirects visitors to an infected website that is hosting the exploit payload, which will usually be a drive-by installation of malware. The malware varies, both Zbot and Zaccess have been used.

ExploitKit_EITestGate

This exploit kit gate is referred to as 'EITest' due to the static use of that name variable. The gate URL generates two HTTP GET requests; one retrieves the Flash file and the other returns a script pointing to the EK landing page. “EITest” campaigns are known for conditionally delivering the redirect, non-vulnerable visitors to decoy IPs instead of terminating the redirection chain. These campaigns have been used to drive traffic to various exploit kits over time including Angler, Neutrino, and RIG.

https://blog.malwarebytes.com/threat-analysis/2014/10/exposing-the-flash-eitest-malware-campaign/

ExploitKit_EKgateGeneric

Exploit kits use a sequence of redirects to deliver the payload, each stage of the redirect has a specific function. The first stage (which may be implemented in Javascript or Flash) is added to a compromised website or advertising network, and sends victims to the second stage 'gate' URL, where the visitor is evaluated for vulnerabilities. If the visitor is not vulnerable to any of the payloads used by the Exploit Kit, or if certain security software is detected, the chain ends. If the visitor is vulnerable, the Gate redirects the victim to the Exploit Kit's landing URL, where the attack code is delivered. The payload is specified by the customer of the EK, small payloads may be delivered directly, larger payloads may use first-stage downloaders that retrieve a second stage. This takes place without user interaction, which is why they are sometimes referred to as 'drive-by downloads'. 'Gate' properties allow us to distinguish between the reconnisance phase and exploitation phase of an ExploitKit redirection chain. In some cases, it is possible to attribute a gate to a specific actor. The intermediate stage is called a 'Gate' because it filters out visitors who are not vulnerable to an exploit payload and will not be infected. Some gates fingerprint visitors, and may redirect visitors to decoy IPs. It is common for gates to send a referrer to the EK landing page, the exploit may not fire without the correct referrer. These measures are intended to prevent security researchers (and other EK operators) from capturing and analyzing the exploit code.

http://www.thesecurityblogger.com/exploit-kits-101-how-a-typical-exploit-kit-functions/

ExploitKit_Fiesta

Fiesta EK generally targets vulnerabilities in the Java, Flash, and Silverlight plugins for Internet Explorer to deploy malware as drive-by downloads, and is often associated with redirects pointing to malware downloads from Dynamic DNS hostnames.

ExploitKit_Flashpack

Flashpack EK usually abuses advertising networks to deploy malware such as the Dofoil Trojan, Zeus/Zbot and Cryptowall.

ExploitKit_G01Pack

G01pack differentiates itself from other exploit kits through the use of a multi-stage delivery system. The first stage occurs at the browser level using HTML to launch Java with a malicious JAR file hosted on a compromised website. At this point, a vulnerability in older versions of Java is exploited allowing a second Java process to be launched. This second process is responsible for running the final payload which can be a number of different types of malware. As with most kits, the code is heavily obfuscated in an effort to evade detection.

http://securityintelligence.com/multistage-exploit-kits-boost-effective-malware-delivery/#.VPiSq2ZwOQs

ExploitKit_Generic

A pack of malicious programs used to infect users with malware. These exploit kits target vulnerabilities in the victim’s machines (these vulnerabilities usually include unpatched versions of Java, Adobe Reader, Adobe Flash, and Internet Explorer) to load malware onto the user’s computer. Exploit kits share many of the same features and exploits across distributions. Because the threat landscape is constantly changing, new threat classifications and properties are routinely added to classify indicators that don't fall under any of the following specific properties.

http://www.securityweek.com/malware-injected-directly-processes-angler-exploit-kit-attack

ExploitKit_GoonInfinity

The Goon/Infinity/Rig Exploit Kit is a malware distribution framework that allows attackers to generate exploits for vulnerabilities in an effort to install malicious software on users' systems when the users visit compromised websites. The kit generates exploits for browser vulnerabilities pertaining to Flash, Java, or Silverlight components on Windows and Mac platforms. The toolkit is being used to remotely execute arbitrary code on the targeted systems, and this may allow an attacker to modify and/or alter sensitive information resulting in loss of integrity.http://tools.cisco.com/security/center/viewAlert.x?alertId=34999

ExploitKit_Incognito

Incognito is similar to other exploit kits, in that it targets vulnerabilities in plugins such as Java and Adobe products to deliver a payload via a drive-by download to a user's machine. Incognito differs from other exploit kits in that the obfuscation process is multilayered and regularly updated.

ExploitKit_Magnigate

'Magnigate' is a nickname introduced by Proofpoint in March 2017, and refers to the gates in Magnitude exploit kit campaigns that act as filtering redirectors to the exploit kit. It uses fingerprinting techniques to profile users and identify their IP address, browser user-agent, ISP, operating system and browser information. The gate even comes with stealth capability as it can check for antivirus solutions such as Kaspersky software. If the user is a target of interest, the user is redirected to the Magnitude exploit kit landing page.

https://www.proofpoint.com/us/threat-insight/post/magnitude-actor-social-engineering-scheme-windows-10

ExploitKit_Magnitude

The Magnitude exploit kit targets Java vulnerabilities and installs a number of dangerous Trojans, including Zeus, Dorkbot, Necurs as well as click-fraud malware.

http://threatpost.com/yahoo-removes-malicious-ads-redirecting-to-magnitude-exploit-kit/103438

ExploitKit_Malvertising

An advertisement on a website or ad network set up to infect viewers with malware either every time it is seen or at various intervals based on the time or number of hits. Malvertising is a commonly used vector for driving unique traffic to exploit kits landing pages.

http://threatpost.com/yahoo-removes-malicious-ads-redirecting-to-magnitude-exploit-kit/103438

ExploitKit_Neutrino

The Neutrino exploit kit is a good example of how exploit kits evolve over time. It was originally seen in 2013. In 2014 it disappeared for 6 months and re-emerged with revamped traffic patterns. This kit, like many others uses various types of obfuscation and encryption to evade detection.

http://blog.trendmicro.com/trendlabs-security-intelligence/a-new-exploit-kit-in-neutrino/

ExploitKit_Nuclear

Nuclear EK usually targets vulnerabilities in Acrobat, Flash, and Java. It can dynamically generate unique Flash payloads, which reduces the effectiveness of signature-based antivirus protection.

ExploitKit_Redkit

Similar to other exploit kits, Redkit exploits vulnerabilities in Java and Adobe products. Redkit's creators do not advertise their product, which was named by security researchers based on the red color scheme in the admin panel. By not advertising, Redkit's creators are able to pick and choose which individuals they allow to use their kit. The Redkit API produces a new URL every hour to avoid detection and blocking.

http://blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html

ExploitKit_RIG

The Rig Exploit Kit mainly exploits vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight. To set up the attack, the attackers injected malicious JavaScript into the website. This JavaScript generates random domain names based on the current date, which are used for contacting websites under the attacker's control.

http://www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise

ExploitKit_Sakura

The Sakura Exploit kit is relatively new and, like other exploit kits, targets vulnerabilities in the user's plugins which prompt the download of a malicious program onto the user's machine. The malicious program can be anything the user of Sakura chooses.

ExploitKit_Styx

Styx covertly redirects users as they visit a legitimate website to a malicious landing page that hosts the exploit files targeting various vulnerabilities. The redirector link may arrive via email as part of a spam campaign. The final payload of this exploit kit is a downloader that delivers additional malware from the remote server. Depending upon the attacker, the payloads are custom made and delivered to the compromised machine.https://blogs.mcafee.com/mcafee-labs/styx-exploit-kit-takes-advantage-of-vulnerabilities

ExploitKit_Sundown

The Sundown EK, sometimes also known as Beta Browser Exploit Pack, emerged sometime in Q3 2015. As a newer and less mature kit it relies upon mad exploitation of the victims rather than the typical sophistication to detect exploitable vulnerabilities. Sundown has often focused on Adobe Flash and Windows Internet Explorer vulnerabilities. The exploits are delivered in PHP and SWF files that include the code to exploit the targeted vulnerabilities.

http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html

ExploitKit_SweetOrange

The Sweet Orange exploit kit is a malware distribution framework that exploits vulnerabilities in Java, Adobe Reader, Internet Explorer and Firefox to deliver malicious payloads to unsuspecting victims. The authors of this kit tried to keep a low profile by limiting their advertising to invite-only cybercrime web communities and keeping specifics about the kits offerings to a minimum.

http://www.webroot.com/blog/2012/05/10/cybercriminals-release-sweet-orange-new-web-malware-exploitation-kit/

ExploitKit_Terror

Terror is an exploit kit that started as a deviation of the Sundown exploit kit. The exploit kit uses infected ads to reach targets. The current version of the exploit kit places a cookie on the target machine. Without this cookie, the rest of the attack chain will not trigger. Terror typically installs cryptocurrency mineers on to the target machines. Terror is also known as Neptune, Blaze or, Eris.

https://blog.malwarebytes.com/threat-analysis/2017/04/sundown-ek-gone-missing-terror-ek-flavours-seen-in-active-drive-by-campaigns/

ExploitKit_Whitehole

Whitehole is another exploit kit that popped up in 2013 in the wake of the popular Blackhole exploit kit. It is typically used to distribute Trojans and ransomware but is capable of distributing any type of malware as with most distribution platforms. This kit uses Java exploits to deliver malicious payloads.

http://blog.trendmicro.com/trendlabs-security-intelligence/whitehole-exploit-kit-emerges/

ICS_DOS

Indicators associated with denial of service attacks against Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA) systems.http://www.csoonline.com/article/2911160/cyber-attacks-espionage/attacks-against-industrial-control-systems-double.html

ICS_Generic

Manufacturing, electricity, oil, gas, water, waste, and other industry rely upon automated equipment controlled and monitored by dedicated systems known as Industrial Control System (ICS) and Supervisory Control and Data Acquisition (SCADA.) Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under a specific property.https://www.checkpoint.com/downloads/product-related/whitepapers/whitepaper-protect-industrial-control-system.pdf

IllegalContent_ChildPorn

Content presenting the possession, manufacturing or distribution of child pornography.

IllegalContent_CredentialDistribution

Any infrastructure that promotes the sale of user credentials including databases, ftp servers, HTML forms, pastebin, etc.

IllegalContent_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under a specific property.

IllegalContent_HackerDialog

Infrastructure that supports criminal communication to or from hackers.

IllegalContent_StolenCredentials

A listing of compromised or stolen client log-in information that is deemed sensitive and is often distributed through a text file or forum. This information may include username/passwords, credit card numbers, pins, security passwords and addresses.

InternetInfrastructure_CloudHostingCDNDomain

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. A cloud-hosted CDN is largely a CDN that is provided as a part of cloud hosting provider, such as AWS Cloudfront and Azure CDN. There is some potential for these CDNs to be used by threat actors to perpetrate attacks. Default threat level is LOW (50)

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_CloudHostingCDNHostname

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. A cloud-hosted CDN is largely a CDN that is provided as a part of cloud hosting provider, such as AWS Cloudfront and Azure CDN. There is some potential for these CDNs to be used by threat actors to perpetrate attacks. Default threat level is LOW (50)

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_CloudHostingCDNIP

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. A cloud-hosted CDN is largely a CDN that is provided as a part of cloud hosting provider, such as AWS Cloudfront and Azure CDN. There is some potential for these CDNs to be used by threat actors to perpetrate attacks. Default threat level is LOW (50).

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_CommercialCDNDomain

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. It is unlikely for threat actors to directly utilize these CDNs ins attacks. They are considered to have threat level of 'non-threat' (0) by default with the, however, specific attacks will be assigned a greater threat level when detected.

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_CommercialCDNHostname

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. A commercial CDN is a CDN that is provided by a company who’s sole purpose is providing a CDN or CDN-related services. Examples include Akamai Technologies and LimeLight Networks. It is unlikely for threat actors to directly utilize these CDNs ins attacks. They are considered to have threat level of 'non-threat' (0) by default with the, however, specific attacks will be assigned a greater threat level when detected.

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_CommercialCDNIP

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. A commercial CDN is a CDN that is provided by a company who’s sole purpose is providing a CDN or CDN-related services. Examples include Akamai Technologies and LimeLight Networks. It is unlikely for threat actors to directly utilize these CDNs in attacks. They are considered to have threat level of 'non-threat' (0) by default with the, however, specific attacks will be assigned a greater threat level when detected.

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_CompromisedIOT

Internet connected IOT devices exhibiting signs of malware infection or other compromise to be used for attacks such as BotNets or DDoS.

https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

InternetInfrastructure_DoHService

InternetInfrastructure_PrivateCDN

A content delivery network (CDN) is a distributed network of servers and data centers designed to cache static content. By placing points of presence (PoPs) strategically, a CDN can lower load times for services. Private CDNs are owned and operated by a company for internal use. Examples include Facebook’s internal CDN, qq[.]com’s internal CDN, and others. Default threat level is MEDIUM (80) for PrivateCDNs since it is possible for threat actors to utilize them for attacks.

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_TelcoCDNDomain

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. A Telco CDN is a CDN that is specifically owned by a Telecommunications company, such as AT&T, Verizon, or China Telecom. It is unlikely for threat actors to directly utilize these CDNs ins attacks. They are considered to have threat level of 'non-threat' (0) by default with the, however, specific attacks will be assigned a greater threat level when detected.

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_TelcoCDNHostname

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. A Telco CDN is a CDN that is specifically owned by a Telecommunications company, such as AT&T, Verizon, or China Telecom. It is unlikely for threat actors to directly utilize these CDNs ins attacks. They are considered to have threat level of 'non-threat' (0) by default with the, however, specific attacks will be assigned a greater threat level when detected.

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_TelcoCDNIP

A Content Delivery Network (CDN) is a network of servers and data centers distributed across the globe. By placing these Points of Presence (PoPs) strategically, a CDN has the ability to significantly boost performance, and lower load times for end-users that reach out to services hosted using a CDN. A Telco CDN is a CDN that is specifically owned by a Telecommunications company, such as AT&T, Verizon, or China Telecom. It is unlikely for threat actors to directly utilize these CDNs ins attacks. They are considered to have threat level of 'non-threat' (0) by default with the, however, specific attacks will be assigned a greater threat level when detected.

https://en.wikipedia.org/wiki/Content_delivery_network

InternetInfrastructure_UnsecuredIOT

Unsecured IOT devices include those with poor password security such as easy-to-guess passwords or utilizing known defaults. It can also include devices using outdated unpatched software or other vulnerabilities that may provide an attacker an easy opportunity to compromise the device and use it for unintended purposes. Default threat level is MEDIUM (80) based on the exposure and potential to be compromised.https://www.owasp.org/index.php/Top_IoT_Vulnerabilities

IntrusionAttempt_Bruteforcing

A systematic attack using sequences of usernames and passwords to determine valid login credentials which permit access to the system or network.

https://help.rapid7.com/metasploit/Content/bruteforce-credentials/bruteforce.html

IntrusionAttempt_Generic

The process of trying to gain access gaining unauthorized access to a system or network. Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under a specific property.

http://searchsecurity.techtarget.com/answer/What-is-the-cause-of-an-intrusion-attempt-message

IntrusionAttempt_UnauthAccess

Gaining access to computer, network, storage medium, system, program, file, user area, or other private repository, without the express permission of the owner.http://securityresearch.in/index.php/tutorials/how-to/unauthorized-access/

LimitedDistro_CompromisedDomain

A compromised domain is one which Exhibits behavior indicating the domain has been taken over and threat actors are using hosts or services belonging to that domain for activities other than those intended by the owner or administrator. May include techniques such as domain hijacking or domain shadowing.

LimitedDistro_MalwareGeneric

Software intentionally designed to cause damage to a computer, server, client, or computer network.

LimitedDistro_Phishing

A way to trick you into giving out your personal or financial information. Phishers may use phony websites or email messages that look like they are from a trusted business. Their goal is to get you to reveal your personal information, such as your user names, passwords, or credit card numbers.

LimitedDistro_UncatThreat

Threats outside a standard malware category, although they could carry or deliver true malware. This category could include, but is not limited to: adware, fake programs or applications, parked domains, cryptojacking, illegal content, spam, proxies, or lookalikes.

Malicious_Generic

An indicator that we or a trusted entity has determined to be involved in malicious or illicit network activity. This indicator may be associated with multiple different types of threats or provide services to threat actors.

Malicious_RDGA

An indicator that is part of a group of registered domains created by a domain generation algorithm (DGA), and that we or a trusted entity has determined to be involved in malicious or illicit network activity.

Malicious_TDS

A domain that is part of a traffic distribution system (TDS). Malicious TDS servers play a crucial role in threat actor networks; for example, they can analyze a victim’s profile, including browser settings and cached data, and if the profile matches the threat actor’s target criteria, the TDS can redirect that web visitor to illegitimate content. DNS-based TDS systems can be used to prevent access to websites based on geographic region or redirect users to benign content. In some cases, multiple TDSs may be used in succession to control user traffic. Blocking the TDS domains at the DNS level is an effective strategy for keeping users away from malicious content.

MaliciousNameserver_EvilDNS

A server that provides Domain Name Services solely for domains used for criminal activity.

https://www.alertra.com/blog/2012/evil-domain-name-system-dns-monitoring-solution-defective

MaliciousNameserver_Generic

Name servers or their related domains that we or a trusted source have assessed to be participating in malicious activity. The name servers are inherently malicious and typically shared by multiple domains used in cybercrime, such as phishing and the spread of harmful software.

https://securitytrails.com/blog/how-to-use-ns-records-to-locate-malicious-domains

MaliciousNameserver_Kol

Kol is a reverse-proxy service, which is used for "bullet-proof" hosting of criminal sites and malware C&C servers. A reverse-proxy seeks to hide hosted content's true location from observers by funneling requests for the content through an intermediary machine. In the past, infected machines acted as proxy servers between victims and the content, although recently there are indications that alternative proxy servers are being used. The primary concern regarding this threat is network traffic visiting sites hosted via Kol, as it might indicate, for instance, that the machine may be infected with another malware family.

MaliciousNameserver_Multigrain

These name servers are associated with the MULTIGRAIN variant of NewPosThings which exfiltrates payment card data over DNS. While card processing networks are often restricted and closely monitored, DNS is rarely blocked since the processing hosts require it to resolve hostnames within the network.

https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html

MalwareC2_AgentTesla

Agent Tesla is an information stealer known as a key logger that has grown in functionalities since its first known appearance in 2014. Designed to be an easy-to-use remote access tool for allegedly personal use, Agent Tesla monitors victims and collects keystrokes, clipboard data, and credentials from various applications, as well as other information. It then exfiltrates the stolen data to its command and control, often via SMTP protocol to an email address or via an FTP server.

https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

MalwareC2_Asprox

Originally used for phishing scams, the Asprox botnet has more recently been known for its use of other bots to discover vulnerable Active Server Pages (ASP) on poorly configured websites. Once the vulnerable ASP is discovered, the bots attempt SQL injection attacks in order to infect the website. The website compromised by Asprox then silently serves exploit code to deliver malware to website visitors. The visitors' now-infected PCs then seek out new vulnerable websites to compromise and the Asprox infection continues to proliferate.http://antivirus.about.com/od/virusdescriptions/p/asprox.htm

MalwareC2_Azorult

Azorult is a infostealer type trojan. It is a next payload from another malware such as Seamless. After infecting a system, Azorult will collect system information, user data such as chat histories and password, and cryptocurrency wallet to send back to its C2.https://www.cyber.nj.gov/threat-profiles/trojan-variants/azorult

MalwareC2_BackdoorRAT

A Remote Access Tool (RAT) is a tool used to remotely access infected machines in order to control the machine and perform actions without the infected machines user's knowledge. RATs can be used to modify, view, and steal files as well as command the machine to download additional files from remote servers.

MalwareC2_BadRabbit

BadRabbit has been identified as a new ransomware variant. The attack involved distributing a malware dropper through drive-by attacks. No exploits were used. Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves. most of the victims of these attacks are located in Russia. This attack has also been seen in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on an investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack.

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

MalwareC2_Bamital

Bamital is most often installed via drive-by downloads, which use exploit kits stitched into hacked and malicious Web sites. Bamital alters the organic search results on the host machine, redirecting victims away from sites as indexed by the major search providers toward pages that provide advertising and referral commissions to affiliate marketers.

http://krebsonsecurity.com/2013/02/microsoft-symantec-hijack-bamital-botnet/

MalwareC2_Banjori

Banjori is identified by Johannes Bader as MultiBanker 2 or BankPatch/BackPatcher. Multibanker is a Trojan that was primarily used in European countries and targeting specific banks to steal account information. As such, the C&C servers would only respond to IP addresses within Europe. The Trojan of the infected machine will use a Domain Generation Algorithm (DGA) in order to reach out to hosts for further instructions.https://www.johannesbader.ch/2015/02/the-dga-of-banjori

MalwareC2_Bedep

Bedep is an ad-fraud / click-fraud Trojan which uses pay-per-click exchanges to mask the origins of its network traffic and load advertisements from multiple publishers.https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/

MalwareC2_Beebone

Beebone is a botnet with polymorphic worm-like abilities to spread to new machines and update process to replace itself with newer versions and evade anti-virus. The Beebone botnet was taken down by law enforcement and traffic sinkholes in Apr 2015redirected to.https://blogs.mcafee.com/mcafee-labs/beebone-update/

MalwareC2_Betabot

Betabot was publicly known since March 2013 as a Trojan that disabled infected system Antivirus Software by terminating the AV software processes.

https://www.gdatasoftware.com/blog/2013/05/23997-a-new-bot-on-the-market-beta-bot

MalwareC2_Brushaloader

Brushaloader is a downloader that was first discovered in June 2018 and drops banking trojans, such as Ursnif, Danabot, and Dreambot. Brushaloader campaigns have mostly targeted European countries including Poland, Ukraine, Italy, Germany and Austria. The campaigns mainly distribute the malware using email lures that are embedded with malicious attachments or hyperlinked texts. Brushaloader uses a PowerShell script called PowerEnum to extensively profile the victim machine, and uses that information to determine the final stage payload.https://www.infoblox.com/wp-content/uploads/threat-intelligence-report-brushaloader-malware.pdf

MalwareC2_Bugat

The Bugat Trojan harvests information during online banking sessions to commit fraudulent ACH and wire transfer transactions. These transactions target mostly small to mid-sized businesses, yielding high-value losses.

http://www.bankinfosecurity.com/articles.php?art_id=3011

MalwareC2_Cerber

Cerber is a sophisticated 'Ransomware-as-a-Service' platform commonly sold to malware distributors on Russian forums. It is typically delivered through malicious email attachments or by Exploit Kits such as RIG and Magnitude. Once executed it encrypts and renames files with a 10-character prefix and, typically, a '.cerber' extension. When encryption is complete, the encryption key is sent to the C2 server and an extortion notice is displayed to the victim. Cerber's notice also offers to decrypt a single file for free in order to show the victim that it works.https://www.checkpoint.com/resources/cerberring/

MalwareC2_ChinAd

ChinAd is a trojan adware class malware that targets windows based operating systems. Trojan ChinAd is commonly distributed when victims download fake Windows updates or other third party bundle programs. Trojan.ChinAd copies its files to the victim's hard disk and runs itself with a new startup key in registry with name Trojan.ChinAd and a typical value of [randomname].exe. Common after effects of ChinAd infection include displaying of warning messages about corrupted Windows system files, antivirus software disabling, and changes to browser configurations.

http://www.spywaretechs.com/remove-trojan-chinad/

MalwareC2_Citadel

The Citadel Trojan is a variant of the bank credential-stealing Zeus Trojan. Similar to the Police Trojan, the user is lured to a drive-by download site. Once the ransomware is installed, pop-up messages accusing the user of visiting child pornography and other illegal sites extort users to pay a fine with prepaid credit cards like Ukash or paysafecard. The message, supposedly from the Department of Justice (or other LEAS around the world), claims that paying this fine will unfreeze the user's computer.

http://www.scmagazine.com/citadel-trojan-uses-child-porn-scare-to-extort-cash/article/243606/

MalwareC2_Clicker

A Trojan-Clicker is a type of Trojan that remains resident in system memory and continuously or regularly attempts to connect to specific websites. This is done to inflate the visit counters for those specific pages. The purpose of a Trojan-Clicker is to either earn money for appearing to drive traffic to specific sites (fraud) or to drain the budget of a competitor (attack) by artificially inflating the referrals that are paid for.https://www.f-secure.com/v-descs/trojan_w32_trojan-clicker.shtml

MalwareC2_CoreBot

Corebot is an information stealer who’s modular design gives it a built-in ability for new capabilities to be bolted on as the attacker needs to add functionality.

https://securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/

MalwareC2_Coreflood

Coreflood is a Trojan horse and botnet created by a group of Russian hackers and released in 2010. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat. Coreflood opens a back door on the compromised computer and acts as a keylogger and gathers user information.

http://en.wikipedia.org/wiki/Coreflood

MalwareC2_Cridex

Cridex is a banking Trojan which, like ZeuS, will harvest information gathered from web sessions. Cridex lures an unsuspecting user into downloading the Trojan through a seemingly legitimate email notification prompting them to click a link. Once a user is infected, the Trojan then is able to steal online banking and email account credentials, and is able to use the victim's online identity to complete browsing activities, including registering new email accounts which are later used to proliferate the Cridex bot.http://community.websense.com/blogs/securitylabs/archive/2012/01/30/trojan-caught-on-camera-shows-captcha-is-still-a-security-issue.aspx

MalwareC2_CryptoLocker

CryptoLocker is a ransomware Trojan which targets computers running Microsoft Windows, and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagates via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message, which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.

http://en.wikipedia.org/wiki/CryptoLocker

MalwareC2_Cryptowall

A ransomware malware family which encrypts files on infected systems using RSA2048 encryption and extorts payment via Bitcoin before the victim can regain access to their files.

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

MalwareC2_CTBLocker

Ransomware. Target webserver, offer to decrypt 2 random files.

http://thehackernews.com/2016/02/ctb-locker-ransomware.html

MalwareC2_DarkComet

DarkComet is a Remote Access Tool (RAT) that is used to remotely access machines. While not explicitly used for malicious purposes, it has gained a lot of notoriety as being malicious. The tool itself can perform several server side (in infected machine) functions such as controlling the processes of the machine, log keystrokes, and control the machine overall.

https://blog.malwarebytes.org/intelligence/2012/06/you-dirty-rat-part-1-darkcomet/

MalwareC2_Dircrypt

Dircrypt ransomware encrypts all files on the hard drive of infected computers and changes the file extension to .enc.rtf.

http://www.cioreview.com/news/check-point-ends-dircrypt-menace-nid-4646-cid-79.html

MalwareC2_Dorkbot

This family of worms can steal your usernames and passwords by watching what you do online. They can also download other malware and stop you from visiting security-related websites. Some variants can use your PC in a denial of service (DoS) attack.

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Dorkbot

MalwareC2_Dridex

Dridex is a banking Trojan that has become one of the most dangerous financial threats in recent years. Dridex is distributed daily by the Necurs botnet through millions of malware laced spam e-mails. It leverages macros in Microsoft Office to compromise a computer and steal banking credentials and other sensitive information. A common attack chain observed throughout May/June of 2017 includes a spam email containing a malicious PDF as the initial vector. The attached PDF then drops and executes a DOCM containing a macro that launches a PowerShell script. The PowerShell fetches an encrypted binary from the C&C which is decrypted to drop and execute a malicious payload.

https://www.fireeye.com/blog/threat-research/2017/05/dridex_and_lockyret.html

MalwareC2_Dromedan

Dromedan is a trojan horse that targets windows based platforms and downloads threats onto a compromised device via C&C communication. It sends out system information of the compromised device and receives instructions from the C&C. While running, Dromedan can perform several actions including: delete important system files arbitrarily, change browser settings, download malicious payloads from specific URLs and even install key loggers to record keystrokes.http://www.remove-malware-tech.com/post/Useful-Guide-to-Remove-Downloader.Dromedan-from-Your-PC_23_40726.html

MalwareC2_Dyreza

Dyreza is an online banking malware that is advertised as a spinoff of the infamous ZeuS banking malware. Dyreza variants arrive into users' systems mainly through spammed mails with malicious attachments. The spammed mail itself is almost always tailored to look like an invoice notification or similar to a notification involving banks/financial institutions, while the attachment is invariably a PDF file.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3139/the-dire-implications-of-dyreza

MalwareC2_Emotet

Emotet is a banking Trojan and credential stealer that is commonly spread through spam emails. The target receives an email and is prompted to follow a link to download a Word document. The Word document then downloads the payload and executes it. Recent version of Emotet have gained the ability to spread through internal networks with worm-like behavior rather than through spam emails.https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader

MalwareC2_Expiro

Expiro.A is a Windows executable file infecting virus. It is also capable of stealing credit card information gathered from the affected machine. Upon execution, this virus recursively looks for link files (.LNK) inside drives C: to Z: starting from the root directory and subdirectories and tries to infect the link's target Windows executable. Infected files grow in size and four additional sections are appended at the end of each file.

https://www.f-secure.com/v-descs/virus_w32_expiro_a.shtml

MalwareC2_ExpiroZ

Virus:Win32/Expiro.Z is the detection for a virus that infects EXE files in all drives and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer security settings.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Expiro.Z

MalwareC2_FakeAntivirus

The Fake AV Trojan simulates a legitimate anti-virus program, typically stylized as a well-known security program like Windows® Security Center. Fake AV gathers personal data and other information from an infected computer, while simultaneously attempting to sell rogue anti-malware. Users infected with this Fake AV will receive notifications that they are infected with various threats and will be advised that to remove these fake infections, they need to purchase these fake, official sounding anti-malware programs.

http://en.wikipedia.org/wiki/Rogue_security_software

MalwareC2_Flame

The Flame Trojan is a highly sophisticated, cyber-espionage toolkit targeting mostly middle eastern countries and is able to sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather discoverable information from blue tooth devices. Flame is specifically interested in data from PDFs, Office and AutoCAD files. The Flame Trojan tricks computers into accepting the malicious software update by using a spoofed, but legitimate Microsoft security certificate for Terminal server. Once a user tries to connect to Windows Update, they are redirected to an infected machine, which then sends a fake, malicious Windows Update notification.

http://news.cnet.com/8301-1009_3-57443975-83/behind-the-flame-malware-spying-on-mideast-computers-faq/

MalwareC2_Flashback

The Flashback Trojan is unique in that it targets Mac OS X exclusively. The attack downloads an executable file through an exploit in Java, and the file is used to download the malicious payload. Users encounter a prompt to enter their administrative password, though Flashback is installed regardless of whether the password is entered. The Flashback Trojan is currently being used for click fraud, but could easily be updated in the future to access banking or other sensitive information.

http://securitywatch.pcmag.com/apple/296278-apple-patches-java-flaw-exploited-by-flashback-trojan

MalwareC2_Fobber

Based on Tinba, Fobber is an information stealing torjan. Fobber contains sophisticated anti-forensic capabilities including randomly generated filenames, encrypted C2, and encrypted payload.

http://www.darkreading.com/vulnerabilities---threats/stealthy-fobber-malware-takes-anti-analysis-to-new-heights/d/d-id/1321055

MalwareC2_Formbook

Formbook is an Infostealer sold both commercially and on the underground market for a relatively cheap price. It is capable of credential theft, keylogging, clipboard monitoring, taking screenshots, among other activities.

https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

MalwareC2_GameoverZeus

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS Trojan. It is believed to have been spread through use of the Cutwail botnet. Unlike its predecessor the ZeuS Trojan, Gameover ZeuS uses an encrypted peer-to-peer communication system to communicate between its nodes and its command and control servers, greatly reducing its vulnerability to law enforcement operations. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware.

http://en.wikipedia.org/wiki/Gameover_ZeuS

MalwareC2_Gandcrab

Narrative: GandCrab ransomware was first publicly mentioned by malware researcher David Montenegro (https://twitter.com/CryptoInsane/status/956803455833853952) in January 2018. In July 2018, Gandcrab released version 4. GandCrab encrypted files and added '.GDCB' (version 1), '.CRAB' (version 2 and 3), '.KRAB' (version 4). GandCrab has been known to distributed by Necurs spambot, Grandsoft EK, Magnitude EK, and especially Rig EK.

https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/

MalwareC2_Generic

The server from which an operator controls the bot nodes in a botnet. This server acts as the command center for the network. Because the threat landscape is constantly changing, new threat classifications and properties are routinely added to classify indicators that don't fall under any of the following specific properties.http://www.microsoft.com/security/portal/mmpc/shared/glossary.aspx

MalwareC2_Geodo

Related to Crides/Bugat/Feodo, Geodo is a banking Trojan which incorporates an email worm. Once infected, the bot downloads additional functionality to spread itself over email using stolen SMPT credentials.

https://threatpost.com/cridex-variant-geodo-part-trojan-part-email-worm/106943/

MalwareC2_GlobeImposter

Globeimposter is a ransomware that is typically distributed by malspam attached with malicious javascript downloaders. The downloader retrieves the Globeimposter ransomware payload in the form of an executable. Once executed, the ransomware encrypts files on the victim's device and appends the .crypt extension. Encrypted files are placed in folders along with a ransom note named 'Unable to render embedded object: File (back_files) not found..html'. The ransom note contains instructions to contact a specific mail account in order to retrieve payment instructions and the ransom amount.

https://blog.malwarebytes.com/detections/ransom-globeimposter/

MalwareC2_Gozi

Discovered in early 2007, Gozi is a banking trojan which has mainly targeted banks and financial services in Spain, Poland, and Japan. It excercises a number of delivery vectors such as URL shortening services to compromised sites or socially engineered emails laced with malicious attachments. After the victim's system has been compromised, Gozi uses dynamic web injection to target information from specific banks. Stolen banking information is then used to cash out the compromised banking accounts with the help of mules. Gozi uses a high degree of automation to optimize mule selection after profiling the victim.

http://www.securityweek.com/gozi-banking-trojan-campaigns-target-global-brands

MalwareC2_Hancitor

Hancitor is a Trojan downloader which installs other malware such as ransomware and information stealers. It is typically distributed by spam emails that either link to a malicious document or attach one directly. When this document is opened, its embedded macros assemble and execute the Hancitor payload. After infecting the system, Hancitor communicates with a C2 to download and install additional malware. It then continues to monitor the infected system and deliver additional payloads as necessary.

https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/

MalwareC2_Hawkeye

Sites associated with this Threat Property have been known to provide command, control, communication, or receive uploads of data from victims. This keylogger is commercially available product which attackers have been known to abuse. This malware records keystrokes, recovers passwords cached in browsers; and takes screenshots. The configuration enables the attacker to transfer captured data email, FTP or web panel.https://www.isightpartners.com/2015/06/hawkeye-keylogger-campaigns-affect-multiple-industries/

MalwareC2_Heodo

Heodo is a banking Trojan and successor of Geodo I Emotet (Version C) that first appeared in March 2017. Infection begins when recipients click a masqueraded url or opens an email attachment for a fake invoice embedded with malicious macros. Its primary role is to steal credentials and e-banking information which is subsequently used to access bank accounts of innocent victims. Post-infection, the Trojan targets additional e-mail addresses by sending more malicious emails to known contacts extracted from the victim's email client. In addition to e-mail spreading, Heodo also has internal network propagation capabilities built in, as it scans the network for other computers and infects them by exploiting a weakness around Windows OS based network resources and shares.

http://www.prnewswire.com/news-releases/strains-of-mutant-malware-increasingly-evading-anti-virus-to-rob-bank-accounts-says-akouto-300510641.html

MalwareC2_Hesperbot

Hesperbot is a banking Trojan with some common features like keylogger, screen grabber, and video capture. It also is able to provide remote proxy services to other bots and contains a VNC server for remote access.http://www.eset.com/int/about/press/articles/article/eset-uncovers-advanced-banking-trojan/

MalwareC2_IcedID

IcedID is a banking trojan targeting services including payroll portals, banking sites, and e-commerce services. This trojan is quite advanced, with the ability to perform both web injection attacks and redirection attacks to gather a victim’s financial information. The ability to perform both types of attacks places IcedID alongside some of the most advanced modern banking trojans such as Zeus and Dridex.

https://exchange.xforce.ibmcloud.com/collection/Icedid-e1afb90c4217131cca5821d00f841838

MalwareC2_InfostealerShiz

Infostealer.Shiz is a Trojan horse that steals confidential information from the compromised computer.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-121202-4242-99

MalwareC2_IoTroop

IoTroop (a.k. IoT Reaper) is a new botnet family targeting IoT devices. Unlike Mirai, which gains access by brute-forcing IoT devices default username/password, IoTroop exploits IoT devices vulnerabilities. According to netlab360 blog post, there are 4 components of the botnet: downloaded, controller, reporter, and loaders. However, from Checkpoint, the bot is self-propagating, which is more reasonable, and they have malicious traffic snapshot to back this up. An infected system contain a modified system file to open a reverse shell back to the C2 using netcat command. The infected devices also attack other vulnerable devices. Currently, there is no evidence of DDoS attacking activities originated from this botnet. According current information, I propose we should have 3 properties listed above. MalwareC2_Iotroop is command and control center which control and send infected devices (bot). MalwareDownload_Iotroop hosts binary sample for bot to download from. And Bot_Iotroop is the infected devices.

https://research.checkpoint.com/new-iot-botnet-storm-coming/

MalwareC2_Jaff

Launched on May 11, 2017, Jaff is a ransomware variant that shares several characteristics with the Locky ransomware. It is heavily distributed by the Necurs botnet and uses spam e-mail messages laced with malware as its attack vector. During the launch of its initial campaigns, global sensors detected huge numbers of fake invoice malspams with pdf attachments embedded with docm. These documents made connections to the Jaff ransomware payload URL. After payload execution, Jaff encrypts files using AES encryption and appends the .jaff extension. Its payment site has a strong resemblance to Locky's.

http://blog.talosintelligence.com/2017/05/jaff-ransomware.html

MalwareC2_Karo

Karo, like other ransomware families, is distributed via malicious emails to lure the victim into opening an infected attachment which encrypts the user's files and extorts payment for the decryption key. Karo emails claim the recipient owes charge amount that is large enough, but not unrealistic, to warrant immediate action and perhaps make the potential victim overlook some of the email’s red flags

https://info.phishlabs.com/blog/not-notpetya-an-analysis-of-karo-ransomware

MalwareC2_Kraken

MalwareC2_LicatZeus

Licat (aka Murofet) is a ZeuS varinat. This blended threat uses the Licat worm to add malicious code to any .exe or .dll file it finds. It uses a DGA to identify the pseudo-randomly generated domains used to host encrypted configurations which it downloads and decrypts. The configuration file contains details of which information to log from the user's machine--typically banking information--and details on where to upload that information.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/65/zeus-still-a-threat-now-also-spreading-through-licat

MalwareC2_Locky

Locky ransomeware uses an encrypted C2 channel and is typically delivered via a downloader in a MS-Office Macro or JavaScript. Once executed, Locky encrypts and renames files with a 16-character prefix o the unique victim ID and a .locky extension. It then displays the extortion notice with instruction for the victim to make payment and receive the decryption key.

https://blog.malwarebytes.org/threat-analysis/2016/03/look-into-locky/

MalwareC2_Log4Shell

An indicator that we or a trusted source have assessed to be a command and control server associated with Log4shell activity.

MalwareC2_Lokibot

Lokibot was first known in 2015 as Windows OS password stealer, cryptocurrency wallet stealer, and keylogger. Recently, there has been observation of Lokibot was forked to work on Android OS.

https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850

MalwareC2_Lookalike

A domain that we or a trusted source have assessed to be imitating another domain, and associated with malware command and control activity.

MalwareC2_MalumPOS

MalumPOS is point-of-sale malware which can monitor up to 100 running processes on infected systems in order to scrape payment card information from memory. It uses regular expressions to identify Track 1 and Track 2 data or at least Visa, American Express, Discover, MasterCard and Diners Club cards. It is configurable and has targeted Micros, Oracle Forms, and Shift4.

http://blog.trendmicro.com/trendlabs-security-intelligence/trend-micro-discovers-malumpos-targets-hotels-and-other-us-industries/

MalwareC2_Matsnu

Matsnu is a Trojan backdoor ransomware. Once infected the Trojan reports system details to the C2 via encrypted channel. It has the ability to update its code, download and execute payloads or encrypt and lock the infected system.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/matsnu

MalwareC2_Mirai

Mirai is a bot network which enslaves Internet of Things (IOT) devices such as IP cameras and other Internet connected consumer devices. Mirai continuously scans the public Internet IP address space for IoT devices and tries to access them using known default or weak credentials before exploiting and forcing devices to join botnets used in DDoS attacks.

https://threatpost.com/mirai-fueled-iot-botnet-behind-ddos-attacks-on-dns-providers/121475/

MalwareC2_Mobile

Command-and-control servers for Mobile malware will vary depending upon the type and function of the infection. The C2 issues instructions to infected device such as exfiltration data or downloading and executing payloads.

http://searchsecurity.techtarget.com/feature/Command-and-control-servers-The-puppet-masters-that-govern-malware

MalwareC2_MultiBanker

Multibanker is a Trojan that was primarily used in European countries and targeting specific banks to steal account information. As such, the C&C servers would only respond to IP addresses within Europe. The Trojan of the infected machine will use a Domain Generation Algorithm (DGA) in order to reach out to hosts for further instructions.

http://blog.kaspersky.com/neverquest-trojan-built-to-steal-from-hundreds-of-banks/

MalwareC2_Multigrain

MULTIGRAIN variant of NewPosThings which exfiltrates payment card data over DNS. While card processing networks are often restricted and closely monitored, DNS is rarely blocked since the processing hosts require it to resolve hostnames within the network.

https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html

MalwareC2_Murofet

Murofet (also called LICAT) is a variant of the Zeus banking trojan. This blended threat uses the Licat worm to add malicious code to any .exe or .dll file it finds. It uses a DGA to identify the pseudo-randomly generated domains used to host encrypted configurations which it downloads and decrypts. The configuration file contains details of which information to log from the user's machine--typically banking information--and details on where to upload that information.http://community.websense.com/blogs/securitylabs/archive/2010/10/14/murofet-domain-generation-ala-conficker.aspx

MalwareC2_Necurs

Necurs may be downloaded as primary infection or an additional payload to infected systems which then disables security services such as AV or firewall.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3133/necurs-the-malware-that-breaks-your-security

MalwareC2_Neverquest

Neverquest is a banking Trojan that spreads itself via social media, email and file transfer protocols. It possesses the capacity to recognize hundreds of online banking and other financial sites. When an infected user attempts to login to one of the sites, the Trojan reacts by activating itself and pilfering its victim's credentials. Neverquest then relays the stolen credentials back to a command and control server.

http://blog.kaspersky.com/neverquest-trojan-built-to-steal-from-hundreds-of-banks/

MalwareC2_Nymaim

Nymaim is a Trojan downloader which installs other malware such as ransomware and information stealers. Nymaim uses web injects and obfuscates both its own instructions and those of its payload.

https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0

MalwareC2_OSXFlashBack

The Flashback Trojan is unique in that it targets Mac OS X exclusively. The attack downloads an executable file through an exploit in Java, and the file is used to download the malicious payload. Users encounter a prompt to enter their administrative password, though Flashback is installed regardless of whether the password is entered. The Flashback Trojan is currently being used for click fraud, but could easily be updated in the future to access banking or other sensitive information.

http://securitywatch.pcmag.com/apple/296278-apple-patches-java-flaw-exploited-by-flashback-trojan

MalwareC2_P2PZeus

The ZeuS P2P Trojan is a variant of ZeuS which has eliminated the need for a static command and control (C&C) server for its directions and updates, and instead utilizes peer-to-peer (P2P) to get that same information. Utilizing P2P allows the botmasters to use other infected PCs to distribute updated ZeuS software and commands to their bots, eliminating the need for a central C&C server and making it more difficult for security researchers to find and disable the botnet. There is still a C&C server, but it does not necessarily use a static domain and can change frequently by sending the bots an updated configuration file.

http://threatpost.com/en_us/blogs/p2p-version-zeus-botnet-appears-101111

MalwareC2_Padcrypt

Ransomware with Live chat support

http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/

MalwareC2_Palevo

Palevo is a family of worms that are essentially downloaders, but can perform several other malicious functions such as stealing login credentials, other online banking-related information, as well as corporate and personal data. Palevo has also been known to initiate distributed denial-of-service attacks (DDoS). Palevo spreads through P2P systems such as Limewire, Emule, and Bearshare. It also spreads through instant messaging and USB devices.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/104/palevo-worm-leads-to-info-theft-ddos-attacks

MalwareC2_Pandabanker

Panda Banker is a banking Trojan that is mainly spread via email attachments containing a downloader. It can also be delivered by exploit kits including Angler, Nuclear, and Neutrino. As with many other banking trojans, Panda Banker sends and receives commands from the C&C server. Responses from the C&C come in as obfuscated JSON data which contains URL locations to further download modules and config files for the malware. Panda Banker borrows code from earlier banking trojans like Zeus and generates fraudulent transactions with the support of Automatic Transfer Systems, a type of banking web inject that automates online bank portal actions.

https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

MalwareC2_Paycrypt

Rasomware. Another name is CryptoBot

http://www.securityweek.com/new-ransomware-uses-gnupg-encrypt-files

MalwareC2_PeerToPeer

Peer-to-peer (abbreviated to P2P) refers to a computer network in which each computer in the network can act as a client or server for the other computers in the network, allowing shared access to files and peripherals without the need for a central server.

MalwareC2_Petya

Petya is a ransomware family, first identified in 2016, which encrypts files on the victim's hard drive as well as overwriting and encrypting the Master Boot Record (MBR) and Master File Table (MFT) of NTFS partitions.

https://en.wikipedia.org/wiki/2017_Petya_cyberattack

MalwareC2_Pizd

MalwareC2_Ponmocup

One of the largest and longest-running botnets, Ponmocup has been used for ad fraud, data theft, and downloading additional threats to infected systems. After compromising devices, Ponmocup can expand the size of the bonet even further by using stolen FTP login information (gains access to webservers) and Facebook credentials. The malware is diligent to evade detection, as it encrypts and stores its components in different locations. It also uses different servers for each of the components and communication goes through several proxy layers between the command and control and malware.

https://www.securityweek.com/ponmocup-botnet-still-actively-used-financial-gain

MalwareC2_PonyLoader

Pony Loader is an information stealer that has been around for a while. Previously it was used for spreading other banking Trojans and ransomware. In 2014, a new variant was observed with updated functionality to include stealing from cryptocurrency wallets. One vector of delivery for Pony Loader is through popular Exploit Kits such as Angler, Sweet Orange, Nuclear, etc.http://www.scmagazine.com/pony-loader-20-now-steals-cryptocurrency-wallets-still-spreads-other-malware/article/358270/

MalwareC2_PoSC2

This domain or IP is a C&C and/or exfiltration channel for malware that infects Point-of-sale systems and collects credit and debit card payment data by reading device memory. Infected PoS systems are one of the most common sources of credit card data sold on darknet forums. Examples include 'PoSeidon' and 'Kuhook.' Others may be found under their own property, such as 'MalumPOS.'

https://www.trustwave.com/Resources/SpiderLabs-Blog/PoSeidon-Completionist/

MalwareC2_Proslikefan

First emerged in September 2012, Proslikefan is a JavaScript worm which propagates by copying itself to external drives, mapped network shares, and file-sharing applications. On execution, it contacts remote servers that are either hardcoded into its program or generated by a Domain Generation Algorithm(DGA) to download additional files onto the compromised devices. Proslikefan has been observed to mainly target Brazil, where it was the second most common malware family in Q4 2014.

https://www.f-secure.com/v-descs/worm_js_proslikefan.shtml

MalwareC2_Pushdo

Cutwail, otherwise known as Pushdo, is a spamming botnet that sends a wide range of campaigns promoting fake pharmaceuticals, designer rip-offs, pirated software, fake ACH notifications, fake Facebook friend requests, fake airline ticket confirmations, as well as other scams. It also sends spam emails with malicious attachments, usually within a Zip file. Cutwail is a spamming engine that lures users to malicious or compromised web sites, triggering a series of exploits that injects the Pushdo Trojan into the user's PC memory.http://www.techrepublic.com/blog/security/pushdocutwail-botnet-second-to-none-when-it-comes-to-spamming/1637

MalwareC2_Pykspa

Pykspa also called Pykse, Skyper or SkypeBot is a worm which spreads via Skype. Once a system is infected it changes settings and terminates security related processes, then send instant messages to Skype contacts containing links to propagate the worm.

https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=22544

MalwareC2_Qadars

MalwareC2_Qakbot

Qakbot is a multi-component threat that remains prevalent since its first emergence in 2007. Early variants of this malware used constant file names which had the string "qbot" in them and utilized a single layer of encryption for their configuration files. Later variants, however, set the configuration files' attribute to Hidden and used random names for their component files and folders. These also doubled their configuration files' encryption, which made them harder to decrypt and analyze. Qakbot's payloads include malware infection and information theft.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/80/qakbot-a-prevalent-infostealing-malware

MalwareC2_QuantLoader

Quant Loader is a dropper or downloader type of malware, typically delivered through malicious emails and targets systems running a Windows O/S. As a dropper, Quant Loader is used to download and install additional malware. It has been observed hiding itself in the user AppData directory and adding 'allow' outbound rules to Windows Firewall for loading other malware. It maintains persistence on infected systems by adding autorun registry keys.

http://www.vkremez.com/2017/07/lets-learn-in-depth-reversing-popular.html

MalwareC2_Ramdo

MalwareC2_Ramnit

This malware family steals your sensitive information, such as your bank usernames and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running. These threats can be installed on your PC through an infected removable drive, such as a USB flash drive.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Ramnit

MalwareC2_Ranbyus

Ranbyus is a banking Trojan that uses form grabbers based on the targeted payment software and bypasses smartcard transaction signing.

http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/

MalwareC2_Ransomware

Ransomware is a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

https://en.wikipedia.org/wiki/Ransomware

MalwareC2_RockLoader

RockLoader is a upatre-like downloader distributed by Dridex. Attacker is using RockLoader to install another malware in remote (victim) system.

http://phishme.com/rockloader-new-upatre-like-downloader-pushed-dridex-downloads-malwares/

MalwareC2_Shifu

Shifu is a Japanese banking Trojan which employs anti-analysis techniques, web injection, screen grabber, remote access, and other capabilities.

https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/

MalwareC2_Shiz

This classification can be applied to exploit kit components delivering Infostealer.Shiz which is a Trojan that steals sensitive information from the infected machine.

MalwareC2_Shylock

Shylock was a Trojan that would target customers of certain financial institutions. When the infected machine would load the page of a specific bank login page in a web browser, the malware would steal the banking credentials via man-in-the-browser attacks. Afterwards, it would send the information to various C&C servers while receiving additional instructions. Shylock malware explicitly targeted European banks for a majority of its existence but briefly began targeting U.S. Bank before it was disabled.

http://securelist.com/blog/research/64599/shylockcaphaw-malware-trojan-the-overview/

MalwareC2_Simda

Simda is an information stealer which may redirect compromised systems to sites the attackers control, install additional payloads, and steal banking credentials.

https://www.us-cert.gov/ncas/alerts/TA15-105A

MalwareC2_Sinowal

Torpig, otherwise known as Sinowal, is a botnet that steals financial information and can affect computers that use Microsoft Windows. Through the use of rootkit technology, Torpig avoids detection by anti-virus applications, and hides its presence from the operating system. Torpig is then able to intercept credentials and account information and could potentially allow the criminals unfettered access to the infected computer. Torpig is capable of injecting additional content and fields into targeted websites, visible only on the infected machine, with the intention of tricking victims into providing sensitive details that the malware can transmit back to its controllers.

http://en.wikipedia.org/wiki/Torpig

MalwareC2_SmokeLoader

Smoke Loader is typically downloaded through email attachments attempting to spoof online order receipts. Once installed, Smoke Loader can download and install additional malware and steal login credentials from browser sessions and email clients. Smoke Loader is capable of remaining hidden through bypassing of UAC and disabling antivirus software.http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html

MalwareC2_Sphinx

In 2016, Zeus Sphinx mainly targeted banks and Boleto payment services in Brazil and Colombia. More recently in 2017, it shifted its campaign to attack banks primarily based in Canada, Australia and USA. Like many other banking trojans, Sphinx uses man-in-the-middle webinjections to steal banking information initiated by victims. This information is subsequently used to cash out accounts from the victim's own device. Its distribution methods are emails loaded with malicious VBA and malvertising.

https://whitehatcheryl.wordpress.com/2017/01/29/update-zeus-sphinx-trojan-is-back/

MalwareC2_SpyEye

SpyEye is a malware toolkit that steals online banking credentials. The criminals use these stolen banking credentials to quickly initiate transactions when the user is logged into their online bank account. SpyEye is known for its use of HTML injection, which creates new fields into a legitimate web page. These injected fields ask the banking customer for sensitive information such as login and password information or debit card numbers.http://www.pcworld.com/businesscenter/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html

MalwareC2_Spyware

Spyware is a type of malware (malicious software) installed on computers that collects information about users without their knowledge. The presence of spyware is typically hidden from the user and can be difficult to detect. Spyware is often secretly installed on a user's personal computer without their knowledge. However, some spyware such as keyloggers may be installed by the owner of a shared, corporate, or public computer on purpose in order to intentionally monitor users. Spyware can collect almost any type of data, including personal information like Internet surfing habits, user logins, and bank or credit account information. Spyware can also interfere with user control of a computer by installing additional software or redirecting Web browsers. Some spyware can change computer settings, resulting in slow Internet connection speeds, un-authorized changes in browser settings or functionality of other software.

http://en.wikipedia.org/wiki/Spyware

MalwareC2_Suppobox

Suppobox (lso called as Kazy) is a trojan downloader.

http://www.enigmasoftware.com/kazytrojan-removal/

MalwareC2_Symmi

Symmi is an adware Trojan that comes bundled with software installers. It may modify system files, add folders, creates Windows tasks, and load ads into the web browser.

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Symmi-C.aspx

MalwareC2_TaurusProject

Taurus Project is an information stealer offered in the Russian hacking markets and a derivative of Predator the Thief. It became available in April 2020.

https://blogs.infoblox.com/security/new-malware-variant-project-taurus-infostealer-follows-in-predator-the-thiefs-footprints/

MalwareC2_TDSS

TDL-4 is a highly sophisticated piece of malware that enables the creation and management of a botnet. The TDL-4 botnet is primarily used to commit click fraud. To avoid detection and remediation, TDL-4 encrypts the communication protocol between bots and the botnet command and control (C&C) servers, and attempts to ensure that a viable line of communication to infected computers remains intact should the botnet control centers be shut down.

http://searchsecurity.techtarget.com/definition/TDL-4-TDSS-or-Alureon

MalwareC2_Tempedreve

The Tempedreve worm spreads through removable media, network drives, and files from the infected computer. On infected computers it changes settings, creates services, and modifies certain file types. Tempedreve uses web injects and JavaScript to steal data which it sends to C2 servers.

https://www.symantec.com/security_response/writeup.jsp?docid=2015-010207-2218-99

MalwareC2_TeslaCrypt

Ransomware. Mostly infected computer gamers since the target of the encrypted files are game saves, user profiles, recoded replays.

http://www.kaspersky.com/internet-security-center/threats/teslacrypt

MalwareC2_TinyBanker

Tinba got its name from its extraordinarily small size -- its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny and banker; the same malware is also known as Tinybanker and Zusy. Tinba is delivered onto user systems via the Blackhole exploit kit, and is aimed primarily at users in Turkey. The capabilities of this malware are broadly similar to other similarly sophisticated info-stealing malware families. Using web injects, it steals the login information from websites, particularly those located in Turkey.

http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/

MalwareC2_Torpig

Torpig is a botnet that steals financial information and can affect computers that use Microsoft Windows. Through the use of rootkit technology, Torpig avoids detection by anti-virus applications, and hides its presence from the operating system. Torpig is then able to intercept credentials and account information and could potentially allow the criminals unfettered access to the infected computer. Torpig is capable of injecting additional content and fields into targeted websites, visible only on the infected machine, with the intention of tricking victims into providing sensitive details that the malware can transmit back to its controllers.

http://www.darkreading.com/security/client-security/217201422/researchers-take-over-dangerous-botnet.html

MalwareC2_TorrentLocker

Ransomware. There has been 4 releases detected. According to Kaspersky lab, on the first 3 releases, the encrypted file can be decrypted.

http://www.kaspersky.com/internet-security-center/threats/torrentlocker-malware

MalwareC2_TrickBot

Considered Dyreza's successor, the TrickBot banking Trojan has mainly targeted the financial sector including private banks, wealth management firms, investment banking, insurance and annuity companies. Since September 2016, this malware family has been delivered in a number of ways from malvertising campaigns involving Rig Exploit Kit to use of the Necurs botnet. Once deployed, TrickBot downloads malicious modules onto the compromised system to perform man-in-the-browser attacks for credential theft. The bot continues to stay in touch with the C&C via SSL encrypted communication.https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets

MalwareC2_Upatre

Upatre is a downloader commonly distributed via email either as attachments or a link to a remote server. If linked to a remote server, the server will gather system information to determine if the machine is exploitable. The browser will be redirected to a legitimate website if the OS is not supported and a zip file containing the newest variant of Upatre will be prompted for download if the machine is exploitable. Once installed, Upatre will connect to C&C servers and provide system information as well as download additional malware such as Dyreza banking Trojan.

MalwareC2_UrlZone

TrojanSpy:Win32/Bebloh.A is a Trojan that monitors and captures logon credentials to certain online banking and financial institutions. The Trojan also changes Windows settings, forces use of Internet Explorer as a Web browser and may be used by an attacker to withdraw funds from online banking accounts.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy:Win32/Bebloh.A

MalwareC2_Ursnif

Ursnif is a banking trojan that began as a variant of the popular Gozi banking trojan but has since evolved to be a legitimate threat in its own right. It is most frequently distributed through malicious email attachments that purport themselves to be invoices or other important documents. One notable advancement of Ursnif over Gozi is Ursnif's use of redirection attacks to steal sensitive banking information. These attacks redirect users' DNS requests for banking sites to servers controlled by the Ursnif operator before connecting them to the real banking website. This process allows the Ursnif operators to steal the user's credentials without being detected by the bank's anti-fraud mechanisms.

https://securityintelligence.com/ursnif-v3-emerges-targets-australian-bank-customers-with-redirection-attacks/

MalwareC2_Vawtrak

Vawtrak first made the rounds via attachments to fake shipping notification emails in August 2013. This 2013 variant stole credentials from several Windows email clients, however, more recent Vawtrak variants have expanded their capabilities to include a wider range of theft. Among these capabilities were banking Trojan routines such as stealing banking credentials and credit card information. Vawtrak is noteworthy because its routines have vastly "improved" from simple information theft to stealing banking data from certain banking institutions in Japan. Vawtrak is also notable because its routines make malware cleanup difficult. Vawtrak restricts users from running files related to antivirus software by adding specific registry entries to infected systems.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3141/vawtrak-plagues-users-in-japan

MalwareC2_Virut

Virut is a malware botnet that is known to be used for cybercrime activities such as DDoS attacks, spam (in collaboration with the Waledac botnet), fraud, data theft, and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites).

http://en.wikipedia.org/wiki/Virut

MalwareC2_VMZeus

A Zeus banking Trojan variant which uses steganography for command and control.http://www.theinquirer.net/inquirer/news/2329754/zeus-banking-trojan-is-back-with-another-variant-zeusvm

MalwareC2_Volatile

The threat landscape is constantly changing, new threat properties are routinely added to classify indicators that don't fall under other properties.

MalwareC2_Xpaj

XPAJ enters users' computers through different methods. XPAJ can be dropped by other malware or downloaded unknowingly through visiting malicious sites. Once inside the system, XPAJ drops its encrypted mother file. XPAJ variants infect system files with the extensions .DLL, .EXE., .SCR, and .SYS. While other malware usually create registry entries to automatically load at system start-up, XPAJ variants infect the MBR which causes the malware to load before the operating system (OS). This makes removal of XPAJ malware even more difficult.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/118/xpaj-back-with-a-vengeance

MalwareC2_Yahos

Yahos is a computer worm that infects machines connected to the LAN that the infected machine is currently on. The worm is distributed through the Facebook platform. Once infected, the Yahos worm continues to affect other machines on the network and enables them to remotely connect. Yahos also steals sensitive information.

MalwareC2_ZeroAccess

Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, download more malware, and open a back door on the compromised computer. The primary motivation of this threat is to make money through pay per click advertising. It does this by downloading an application that conducts Web searches and clicks on the results. The threat is also capable of downloading other threats on to the compromised computer, some of which may be Misleading Applications that display bogus information about threats found on the computer and scare the user into purchasing fake antivirus software to remove the bogus threats. It is also capable of downloading updates of itself to improve and/or fix functionality of the threat.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

MalwareC2_Zeus

Zeus, ZeuS, or Zbot is a family of banking Trojans comprised of numerous variants and has spawned multiple copy-cats. Its capabilities include keylogging, remote access, and install additional payloads.

https://en.wikipedia.org/wiki/Zeus_(malware)

MalwareC2_Zusy

Discovered in April 2012, the Zusy malware(also known as Tiny Banker) has been around for years. This banking Trojan first received the 'Tiny' nickname for being one of the smallest Trojan bankers during its discovery. With a code size of just 20KB, the Trojan stole login data by hooking into browsers and performing man-in-the-middle attacks(MITM). The early variants of Zusy practiced an extremely simple C&C communication method by contacting several servers hardcoded into the malware. Over time, the malware family evolved and new variants introduced more sohpisticated techniques such as use of DGA domains for C&C channels. Recently in early June 2017, a new Zusy variant was brought into the spotlight for its novel way of compromising victims. The malware is spread as PowerPoint file attachments to spam emails. Separating itself from the usual malware laced spams that rely on users activating office macros, the PowerPoint launches an external program which results in the download of malicious payload(s).

https://sentinelone.com/blogs/zusy-powerpoint-malware-spreads-without-needing-macros/

MalwareC2DGA_BackdoorRAT

BackdoorRAT is a remote access Trojan which enables the attacker to take over the infected computer.

https://www.symantec.com/security_response/writeup.jsp?docid=2000-121909-1302-99

MalwareC2DGA_Bamital

Computer generated domains for Bamital. Most often installed via drive-by downloads using exploit kits stitched into hacked and malicious Web sites. Bamital alters the organic search results on the host machine, redirecting victims away from sites as indexed by the major search providers toward pages that provide advertising and referral commissions to affiliate marketers.

http://krebsonsecurity.com/2013/02/microsoft-symantec-hijack-bamital-botnet/

MalwareC2DGA_Banjori

Banjori is identified by Johannes Bader as MultiBanker 2 or BankPatch/BackPatcher. Multibanker is a Trojan that was primarily used in European countries and targeting specific banks to steal account information. As such, the C&C servers would only respond to IP addresses within Europe. The Trojan of the infected machine will use a Domain Generation Algorithm (DGA) in order to reach out to hosts for further instructions.https://www.johannesbader.ch/2015/02/the-dga-of-banjori

MalwareC2DGA_Bedep

Bedep is an ad-fraud / click-fraud Trojan which uses pay-per-click exchanges to mask the origins of its network traffic and load advertisements from multiple publishers.https://sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-impressions-a-day/

MalwareC2DGA_Beebone

Beebone is a botnet with polymorphic worm-like abilities to spread to new machines and update process to replace itself with newer versions and evade anti-virus. The Beebone botnet was taken down by law enforcement and traffic sinkholes in Apr 2015redirected to.https://blogs.mcafee.com/mcafee-labs/beebone-update/

MalwareC2DGA_Chinad

ChinAd is a trojan adware class malware that targets windows based operating systems. Trojan ChinAd is commonly distributed when victims download fake Windows updates or other third party bundle programs. Trojan.ChinAd copies its files to the victim's hard disk and runs itself with a new startup key in registry with name Trojan.ChinAd and a typical value of [randomname].exe. Common after effects of ChinAd infection include displaying of warning messages about corrupted Windows system files, antivirus software disabling, and changes to browser configurations.

http://www.spywaretechs.com/remove-trojan-chinad/

MalwareC2DGA_Clicker

Clicker or AdClicker is click fraud malware which generates fake clicks or views of web advertisements to take advantage of pay-per-click revenue for the fraudster.

https://www.symantec.com/security_response/writeup.jsp?docid=2002-091214-5754-99

MalwareC2DGA_ConfickerA

Conficker is a computer worm that targets flaws in Windows OS and uses dictionary attacks on administrator passwords. It is suspected that Conficker's authors monitor efforts within the security industry to find and mitigate the virus. As a result, new variants have been released to patch its own vulnerabilities to anti-virus detection and remediation, making Conficker one of the most prevalent and difficult pieces of malware to completely disable. There are five known variants of the virus called Conficker A, B, C, D and E. While the virus hasn't caused any serious damage, it has prevented affected users from installing Windows and anti-virus updates that might mitigate the Conficker virus (and other threats).

http://en.wikipedia.org/wiki/Conficker

MalwareC2DGA_ConfickerB

Conficker is a computer worm that targets flaws in Windows OS and uses dictionary attacks on administrator passwords. It is suspected that Conficker's authors monitor efforts within the security industry to find and mitigate the virus. As a result, new variants have been released to patch its own vulnerabilities to anti-virus detection and remediation, making Conficker one of the most prevalent and difficult pieces of malware to completely disable. There are five known variants of the virus called Conficker A, B, C, D and E. While the virus hasn't caused any serious damage, it has prevented affected users from installing Windows and anti-virus updates that might mitigate the Conficker virus (and other threats).

http://en.wikipedia.org/wiki/Conficker

MalwareC2DGA_ConfickerC

Conficker is a computer worm that targets flaws in Windows OS and uses dictionary attacks on administrator passwords. It is suspected that Conficker's authors monitor efforts within the security industry to find and mitigate the virus. As a result, new variants have been released to patch its own vulnerabilities to anti-virus detection and remediation, making Conficker one of the most prevalent and difficult pieces of malware to completely disable. There are five known variants of the virus called Conficker A, B, C, D and E. While the virus hasn't caused any serious damage, it has prevented affected users from installing Windows and anti-virus updates that might mitigate the Conficker virus (and other threats).

http://en.wikipedia.org/wiki/Conficker

MalwareC2DGA_CoreBot

Corebot is an information stealer who’s modular design gives it a built-in ability for new capabilities to be bolted on as the attacker needs to add functionality.

https://securityintelligence.com/watch-out-for-corebot-new-stealer-in-the-wild/

MalwareC2DGA_Coreflood

Coreflood is a Trojan horse and botnet created by a group of Russian hackers and released in 2010. It is present on more than 2.3 million computers worldwide and as of May 2011 remains a threat. Coreflood opens a back door on the compromised computer and acts as a keylogger and gathers user information.

http://en.wikipedia.org/wiki/Coreflood

MalwareC2DGA_Cridex

Cridex is a banking Trojan which, like ZeuS, will harvest information gathered from web sessions. Cridex lures an unsuspecting user into downloading the Trojan through a seemingly legitimate email notification prompting them to click a link. Once a user is infected, the Trojan then is able to steal online banking and email account credentials, and is able to use the victim's online identity to complete browsing activities, including registering new email accounts which are later used to proliferate the Cridex bothttp://community.websense.com/blogs/securitylabs/archive/2012/01/30/trojan-caught-on-camera-shows-captcha-is-still-a-security-issue.aspx

MalwareC2DGA_CryptoLocker

CryptoLocker is a ransomware Trojan which targets computers running Microsoft Windows, and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagates via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message, which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.

https://en.wikipedia.org/wiki/CryptoLocker

MalwareC2DGA_Cryptowall

A ransomware malware family which encrypts files on infected systems using RSA2048 encryption and extorts payment via Bitcoin before the victim can regain access to their files.

https://www.symantec.com/security_response/writeup.jsp?docid=2014-061923-2824-99

MalwareC2DGA_DarkComet

DarkComet is a Remote Access Tool (RAT) that is used to remotely access machines. While not explicitly used for malicious purposes, it has gained a lot of notoriety as being malicious. The tool itself can perform several server side (in infected machine) functions such as controlling the processes of the machine, log keystrokes, and control the machine overall.

https://blog.malwarebytes.org/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

MalwareC2DGA_Dircrypt

Dircrypt ransomware encrypts all files on the hard drive of infected computers and changes the file extension to .enc.rtf.https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/

MalwareC2DGA_Dorkbot

This family of worms can steal your usernames and passwords by watching what you do online. They can also download other malware and stop you from visiting security-related websites. Some variants can use your PC in a denial of service (DoS) attack.

http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Win32/Dorkbot

MalwareC2DGA_Dromedan

Dromedan is a trojan horse that targets windows based platforms and downloads threats onto a compromised device via C&C communication. It sends out system information of the compromised device and receives instructions from the C&C. While running, Dromedan can perform several actions including: delete important system files arbitrarily, change browser settings, download malicious payloads from specific URLs and even install key loggers to record keystrokes.http://www.remove-malware-tech.com/post/Useful-Guide-to-Remove-Downloader.Dromedan-from-Your-PC_23_40726.html

MalwareC2DGA_Dyreza

Dyreza is an online banking malware that is advertised as a spinoff of the infamous ZeuS banking malware. Dyreza variants arrive into users' systems mainly through spammed mails with malicious attachments. The spammed mail itself is almost always tailored to look like an invoice notification or similar to a notification involving banks/financial institutions, while the attachment is invariably a PDF file.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3139/the-dire-implications-of-dyreza

MalwareC2DGA_Expiro

Expiro.A is a Windows executable file infecting virus. It is also capable of stealing credit card information gathered from the affected machine. Upon execution, this virus recursively looks for link files (.LNK) inside drives C: to Z: starting from the root directory and subdirectories and tries to infect the link's target Windows executable. Infected files grow in size and four additional sections are appended at the end of each file.

https://www.f-secure.com/v-descs/virus_w32_expiro_a.shtml

MalwareC2DGA_ExpiroZ

Expiro.Z is the detection for a virus that infects EXE files in all drives and collects user credentials from an infected computer. It also allows backdoor access and control to the infected computer, and lowers Internet Explorer security settings.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Virus:Win32/Expiro.Z

MalwareC2DGA_Flame

The Flame Trojan is a highly sophisticated, cyber-espionage toolkit targeting mostly middle eastern countries and is able to sniff network traffic, take screenshots, record audio conversations, log keystrokes and gather discoverable information from blue tooth devices. Flame is specifically interested in data from PDFs, Office and AutoCAD files. The Flame Trojan tricks computers into accepting the malicious software update by using a spoofed, but legitimate Microsoft security certificate for Terminal server. Once a user tries to connect to Windows Update, they are redirected to an infected machine, which then sends a fake, malicious Windows Update notification.

http://news.cnet.com/8301-1009_3-57443975-83/behind-the-flame-malware-spying-on-mideast-computers-faq/

MalwareC2DGA_Flashback

The Flashback Trojan is unique in that it targets Mac OS X exclusively. The attack downloads an executable file through an exploit in Java, and the file is used to download the malicious payload. Users encounter a prompt to enter their administrative password, though Flashback is installed regardless of whether the password is entered. The Flashback Trojan is currently being used for click fraud, but could easily be updated in the future to access banking or other sensitive information.

http://securitywatch.pcmag.com/apple/296278-apple-patches-java-flaw-exploited-by-flashback-trojan

MalwareC2DGA_Fobber

Based on Tinba, Fobber is an information stealing torjan. Fobber contains sophisticated anti-forensic capabilities including randomly generated filenames, encrypted C2, and encrypted payload.

http://www.darkreading.com/vulnerabilities---threats/stealthy-fobber-malware-takes-anti-analysis-to-new-heights/d/d-id/1321055

MalwareC2DGA_GameoverZeus

Infostealer.Shiz is a Trojan horse that steals confidential information from the compromised computer.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-121202-4242-99

MalwareC2DGA_GameoverZeusV2

A domain used for command and control by the Gameover Zeus v2 malware. These domain names are generated by a domain generation algorithm encoded in the malware and registered automatically, and should be considered entirely malicious. Infoblox recommends blocking all network traffic to these domains. Hosts communicating with these domains should be scanned for malware.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fZbot&wa=wsignin1.0#tab=2

MalwareC2DGA_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for MalwareC2DGA.

http://en.wikipedia.org/wiki/Domain_generation_algorithm

MalwareC2DGA_Geodo

Related to Crides/Bugat/Feodo, Geodo is a banking Trojan which incorporates an email worm. Once infected, the bot downloads additional functionality to spread itself over email using stolen SMPT credentials.

https://threatpost.com/cridex-variant-geodo-part-trojan-part-email-worm/106943/

MalwareC2DGA_Gozi

Discovered in early 2007, Gozi is a banking trojan which has mainly targeted banks and financial services in Spain, Poland, and Japan. It excercises a number of delivery vectors such as URL shortening services to compromised sites or socially engineered emails laced with malicious attachments. After the victim's system has been compromised, Gozi uses dynamic web injection to target information from specific banks. Stolen banking information is then used to cash out the compromised banking accounts with the help of mules. Gozi uses a high degree of automation to optimize mule selection after profiling the victim.

http://www.securityweek.com/gozi-banking-trojan-campaigns-target-global-brands

MalwareC2DGA_Hancitor

Hancitor is a trojan downloader which is distributed through malicious spam emails campaigns. Once Hancitor has infected a victim’s device, it will communicate with its C2 server to receive instructions. Hancitor will then download and install additional malware payloads based on the instructions it receives. These payloads often include some kind of credential-stealing malware such as PonyLoader, Vawtrak, DELoader, or PandaBanker. Some Hancitor campaigns follow up with an additional payload, usually ransomware, after stealing a victim’s credentials.

http://www.malware-traffic-analysis.net/2019/04/02/index.html

MalwareC2DGA_Hesperbot

Hesperbot is a banking Trojan with some common features like keylogger, screen grabber, and video capture. It also is able to provide remote proxy services to other bots and contains a VNC server for remote access.http://www.eset.com/int/about/press/articles/article/eset-uncovers-advanced-banking-trojan/

MalwareC2DGA_InfostealerShiz

Infostealer.Shiz is a Trojan horse that steals confidential information from the compromised computer.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-121202-4242-99

MalwareC2DGA_Kraken

MalwareC2DGA_Locky

Locky ransomware uses an encrypted C2 channel and is typically delivered via a downloader in a MS-Office Macro or JavaScript. Once executed, Locky encrypts and renames files with a 16-character prefix to the unique victim ID and a .locky extension. It then displays the extortion notice with instructions for the victim to make payment and receive the decryption key.

https://blog.malwarebytes.org/threat-analysis/2016/03/look-into-locky/

MalwareC2DGA_Madmax

The Mad Max malware DGA is believed to be a targeted Trojan which uses a DGA for C2. It was observed dropping several DLLs onto the infected computers, which are then executed via rundll32.exe. The malware DGA heavly uses obfuscation.

https://www.arbornetworks.com/blog/asert/mad-max-dga

MalwareC2DGA_Matsnu

Matsnu is a Trojan backdoor ransomware. The DGA uses words from a built-in list in a noun-verb-noun-verb combination 24-character long.

https://threatpost.com/matsnu-botnet-dga-discovers-power-of-words/109426/

MalwareC2DGA_Murofet

Murofet (also called LICAT) is a variant of the Zeus banking trojan. This blended threat uses the Licat worm to add malicious code to any .exe or .dll file it finds. It uses a DGA to identify the pseudo-randomly generated domains used to host encrypted configurations which it downloads and decrypts. The configuration file contains details of which information to log from the user's machine--typically banking information--and details on where to upload that information.http://community.websense.com/blogs/securitylabs/archive/2010/10/14/murofet-domain-generation-ala-conficker.aspx

MalwareC2DGA_Necurs

Necurs creates four DGA based domains which it uses for anti-analysis and connectivity check. This is followed by up to 2048 domains using 43 different TLDs. The domains are rotated every fourhttps://www.johannesbader.ch/2015/02/the-dgas-of-necurs/

MalwareC2DGA_Neverquest

Neverquest is a banking Trojan that spreads itself via social media, email and file transfer protocols. It possesses the capacity to recognize hundreds of online banking and other financial sites. When an infected user attempts to login to one of the sites, the Trojan reacts by activating itself and pilfering its victim's credentials. Neverquest then relays the stolen credentials back to a command and control server.

http://blog.kaspersky.com/neverquest-trojan-built-to-steal-from-hundreds-of-banks/

MalwareC2DGA_Nymaim

Nymaim is a Trojan downloader which installs other malware such as ransomware and information stealers. Nymaim uses web injects and obfuscates both its own instructions and those of its payload.

https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0

MalwareC2DGA_Padcrypt

MalwareC2DGA_Pandabanker

Panda Banker is a banking Trojan that is mainly spread via email attachments containing a downloader. It can also be delivered by exploit kits including Angler, Nuclear, and Neutrino. As with many other banking trojans, Panda Banker sends and receives commands from the C&C server. Responses from the C&C come in as obfuscated JSON data which contains URL locations to further download modules and config files for the malware. Panda Banker borrows code from earlier banking trojans like Zeus and generates fraudulent transactions with the support of Automatic Transfer Systems, a type of banking web inject that automates online bank portal actions.

https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

MalwareC2DGA_Pizd

Discovered in early 2013, Pizd refers to a dga family that uses a pseudo-random algorithm to generate a total of 32,768 possible domain names. These domain names are created by concatenating two pseudo-randomly selected words from a 384-word list of common English words. While the exact malware family that uses this dga is unknown at this time, the malware variant(s) observed in 2013 were delivered by e-mail imitating a Facebook service. Such emails contained zip file attachments embedded with obfuscated Trojan downloaders. Once victims were persuaded to allow the files to run, the malware was observed downloading payloads from a successfully connected dga domain, which was then written to the %TEMP% directory under the name g53<random>arg.exe.

https://www.rsaconference.com/writable/presentations/file_upload/br-r01-end-to-end-analysis-of-a-domain-generating-algorithm-malware-family.pdf

MalwareC2DGA_Proslikefan

First emerged in September 2012, Proslikefan is a JavaScript worm which propagates by copying itself to external drives, mapped network shares, and file-sharing applications. On execution, it contacts remote servers that are either hardcoded into its program or generated by a Domain Generation Algorithm(DGA) to download additional files onto the compromised devices. Proslikefan has been observed to mainly target Brazil, where it was the second most common malware family in Q4 2014.

https://www.f-secure.com/v-descs/worm_js_proslikefan.shtml

MalwareC2DGA_Pushdo

Cutwail, otherwise known as Pushdo, is a spamming botnet that sends a wide range of campaigns promoting fake pharmaceuticals, designer rip-offs, pirated software, fake ACH notifications, fake Facebook friend requests, fake airline ticket confirmations, as well as other scams. It also sends spam emails with malicious attachments, usually within a Zip file. Cutwail is a spamming engine that lures users to malicious or compromised web sites, triggering a series of exploits that injects the Pushdo Trojan into the user's PC memory.http://www.techrepublic.com/blog/security/pushdocutwail-botnet-second-to-none-when-it-comes-to-spamming/1637

MalwareC2DGA_Pykspa

Pykspa also called Pykse, Skyper or SkypeBot is an instant messaging worm. The domain generation algorithm uses an index routine and seed values to determine the C2 domain.https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/

MalwareC2DGA_Qadars

MalwareC2DGA_Qakbot

Qakbot is a multi-component threat that remains prevalent since its first emergence in 2007. Early variants of this malware used constant file names which had the string 'qbot' in them and utilized a single layer of encryption for their configuration files. Later variants, however, set the configuration files' attribute to Hidden and used random names for their component files and folders. These also doubled their configuration files' encryption, which made them harder to decrypt and analyze. Qakbot's payloads include malware infection and information theft.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/80/qakbot-a-prevalent-infostealing-malware

MalwareC2DGA_Ramdo

MalwareC2DGA_Ramnit

This malware family steals your sensitive information, such as your bank usernames and passwords. It can also give a malicious hacker access and control of your PC, and stop your security software from running. These threats can be installed on your PC through an infected removable drive, such as a USB flash drive.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32/Ramnit

MalwareC2DGA_Ranbyus

Ranbyus is a banking Trojan that uses form grabbers based on the targeted payment software and bypasses smartcard transaction signing.

http://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/

MalwareC2DGA_Ransomware

Ransomware is a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

https://en.wikipedia.org/wiki/Ransomware

MalwareC2DGA_Shifu

Shifu is a Japanese banking Trojan which employs anti-analysis techniques, web injection, screen grabber, remote access, and other capabilities.

https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/

MalwareC2DGA_Shiz

Infostealer.Shiz is a Trojan horse that steals confidential information from the compromised computer.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-121202-4242-99

MalwareC2DGA_Simda

Simda is an information stealer which may redirect compromised systems to sites the attackers control, install additional payloads, and steal banking credentials.

https://www.us-cert.gov/ncas/alerts/TA15-105A

MalwareC2DGA_Sinowal

Torpig, otherwise known as Sinowal, is a botnet that steals financial information and can affect computers that use Microsoft Windows. Through the use of rootkit technology, Torpig avoids detection by anti-virus applications, and hides its presence from the operating system. Torpig is then able to intercept credentials and account information and could potentially allow the criminals unfettered access to the infected computer. Torpig is capable of injecting additional content and fields into targeted websites, visible only on the infected machine, with the intention of tricking victims into providing sensitive details that the malware can transmit back to its controllers

http://en.wikipedia.org/wiki/Torpig

MalwareC2DGA_Sisron

Sisron is a trojan that is dropped onto a system by another malware or file downloaded by users unknowingly. It steals personal information from the compromised system and also generates unwanted advertisements. Its C&C communication method involves using time-based domain generation algorithm (DGA). Sisron send and receives data from the C&C and at times, downloads additonal malware for secondary infections and persistence.

https://labs.vipre.com/dga-malware-usage-and-known-infections-part-2/

MalwareC2DGA_Sphinx

In 2016, Zeus Sphinx mainly targeted banks and Boleto payment services in Brazil and Colombia. More recently in 2017, it shifted its campaign to attack banks primarily based in Canada, Australia and USA. Like many other banking trojans, Sphinx uses man-in-the-middle webinjections to steal banking information initiated by victims. This information is subsequently used to cash out accounts from the victim's own device. Its distribution methods are emails loaded with malicious VBA and malvertising.

https://whitehatcheryl.wordpress.com/2017/01/29/update-zeus-sphinx-trojan-is-back/

MalwareC2DGA_Suppobox

Suppobox (lso called as Kazy) is a trojan downloader.

http://www.enigmasoftware.com/kazytrojan-removal/

MalwareC2DGA_Symmi

Symmi is an adware Trojan that comes bundled with software installers. It may modify system files, add folders, creates Windows tasks, and load ads into the web browser.

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Symmi-C.aspx

MalwareC2DGA_Tempedreve

The Tempedreve worm spreads through removable media, network drives, and files from the infected computer. On infected computers it changes settings, creates services, and modifies certain file types. Tempedreve uses web injects and JavaScript to steal data which it sends to C2 servers.

https://www.symantec.com/security_response/writeup.jsp?docid=2015-010207-2218-99

MalwareC2DGA_TinyBanker

Tinba got its name from its extraordinarily small size -- its code is approximately 20 kilobytes in size, a remarkably small number for banking malware. Tinba is a combination of the words tiny and banker; the same malware is also known as Tinybanker and Zusy. Tinba is delivered onto user systems via the Blackhole exploit kit, and is aimed primarily at users in Turkey. The capabilities of this malware are broadly similar to other similarly sophisticated info-stealing malware families. Using web injects, it steals the login information from websites, particularly those located in Turkey.

http://blog.trendmicro.com/trendlabs-security-intelligence/the-tinbatinybanker-malware/

MalwareC2DGA_UrlZone

TrojanSpy:Win32/Bebloh.A is a Trojan that monitors and captures logon credentials to certain online banking and financial institutions. The Trojan also changes Windows settings, forces use of Internet Explorer as a Web browser and may be used by an attacker to withdraw funds from online banking accounts.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=TrojanSpy:Win32/Bebloh.A

MalwareC2DGA_Vawtrak

Vawtrak first made the rounds via attachments to fake shipping notification emails in August 2013. This 2013 variant stole credentials from several Windows email clients, however, more recent Vawtrak variants have expanded their capabilities to include a wider range of theft. Among these capabilities were banking Trojan routines such as stealing banking credentials and credit card information. Vawtrak is noteworthy because its routines have vastly 'improved' from simple information theft to stealing banking data from certain banking institutions in Japan. Vawtrak is also notable because its routines make malware cleanup difficult. Vawtrak restricts users from running files related to antivirus software by adding specific registry entries to infected systems.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3141/vawtrak-plagues-users-in-japan

MalwareC2DGA_Vidro

Vidro is a SMS Trojan which targets android based mobile devices. Upon execution, the malware sends SMS messages after gaining access to a number of permissions including 'SEND_SMS' and 'RECEIVE_SMS'. Installation of Vidro is dependent on a user with physical access to the device. Vidro Trojans have been largely distributed on unregulated third party android markets and forums.http://www.armorforandroid.com/protection-center/threat/armor-trojan-vidro/

MalwareC2DGA_Virut

MalwareC2DGA_Volatile

The threat landscape is constantly changing, new threat properties are routinely added to classify indicators that don't fall under other properties.

MalwareC2DGA_Xpaj

XPAJ enters users' computers through different methods. XPAJ can be dropped by other malware or downloaded unknowingly through visiting malicious sites. Once inside the system, XPAJ drops its encrypted mother file. XPAJ variants infect system files with the extensions .DLL, .EXE., .SCR, and .SYS. While other malware usually create registry entries to automatically load at system start-up, XPAJ variants infect the MBR which causes the malware to load before the operating system (OS). This makes removal of XPAJ malware even more difficult.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/118/xpaj-back-with-a-vengeance

MalwareC2DGA_Zeus

Zeus, ZeuS, or Zbot is a family of banking Trojans comprised of numerous variants and has spawned multiple copy-cats. Its capabilities include keylogging, remote access, and install additional payloads.

https://en.wikipedia.org/wiki/Zeus_(malware)

MalwareDownload_AgentTesla

Agent Tesla is an information stealer known as a key logger that has grown in functionalities since its first known appearance in 2014. Designed to be an easy-to-use remote access tool for allegedly personal use, Agent Tesla monitors victims and collects keystrokes, clipboard data, and credentials from various applications, as well as other information. It then exfiltrates the stolen data to its command and control, often via SMTP protocol to an email address or via an FTP server.

https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

MalwareDownload_Asprox

Originally used for phishing scams, the Asprox botnet has more recently been known for its use of other bots to discover vulnerable Active Server Pages (ASP) on poorly configured websites. Once the vulnerable ASP is discovered, the bots attempt SQL injection attacks in order to infect the website. The website compromised by Asprox then silently serves exploit code to deliver malware to website visitors. The visitors' now-infected PCs then seek out new vulnerable websites to compromise and the Asprox infection continues to proliferate.http://antivirus.about.com/od/virusdescriptions/p/asprox.htm

MalwareDownload_Azorult

Azorult is a infostealer type trojan. It is a next payload from another malware such as Seamless. After infecting a system, Azorult will collect system information, user data such as chat histories and password, and cryptocurrency wallet to send back to its C2

https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/

MalwareDownload_BackdoorRAT

A Remote Access Tool (RAT) is a tool used to remotely access infected machines in order to control machine and perform actions without the infected machines user's knowledge. RATs can be used to modify, view, and steal files as well as command the machine to download additional files from remote servers

MalwareDownload_BadRabbit

BadRabbit has been identified as a new ransomware variant. The attack involved distributing a malware dropper through drive-by attacks. No exploits were used. Victims download a fake Adobe Flash installer from infected websites and manually launch the .exe file, thus infecting themselves. most of the victims of these attacks are located in Russia. This attack has also been seen in Ukraine, Turkey, and Germany. This ransomware has infected devices through a number of hacked Russian media websites. Based on an investigation, this is a targeted attack against corporate networks, using methods similar to those used in the ExPetr attack.

https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

MalwareDownload_Betabot

Betabot was publicly known since March 2013 as a Trojan that disabled infected system Antivirus Software by terminating the AV software processes.

https://krebsonsecurity.com/tag/betabot/

MalwareDownload_Boleto

Boleto is a popular payment system unique to Brazil. Given its popularity, the payment system is frequently targeted by criminals who attempt to defraud and extort funds from Boleto users. Malware targeting Boleto users have risen in recent years. Currently, there are three known malware families targeting the payment system including Trojan.Eupuds, Infostealer.Boleteiro, and Infostealer.Domingo. These malware families resemble modern financial Trojans and attacks are mainly focused on browser hijacking for the purpose of intercepting and altering the ID number and barcode of the electronic Boleto bill. Main infection vectors of the Boleto malware are Spam Emails and DNS hijacking.

https://en.wikipedia.org/wiki/Boleto

MalwareDownload_Brushaloader

Brushaloader is a downloader that was first discovered in June 2018 and drops banking trojans, such as Ursnif, Danabot, and Dreambot. Brushaloader campaigns have mostly targeted European countries including Poland, Ukraine, Italy, Germany and Austria. The campaigns mainly distribute the malware using email lures that are embedded with malicious attachments or hyperlinked texts. Brushaloader uses a PowerShell script called PowerEnum to extensively profile the victim machine, and uses that information to determine the final stage payload.https://www.infoblox.com/wp-content/uploads/threat-intelligence-report-brushaloader-malware.pdf

MalwareDownload_Bugat

The Bugat Trojan harvests information during online banking sessions to commit fraudulent ACH and wire transfer transactions. These transactions target mostly small to mid-sized businesses, yielding high-value losses.

http://www.bankinfosecurity.com/articles.php?art_id=3011

MalwareDownload_Cerber

Cerber is a sophisticated "Ransomware-as-a-Service" platform commonly sold to malware distributors on Russian forums. It is typically delivered through malicious email attachments or by Exploit Kits such as RIG and Magnitude. Once executed it encrypts and renames files with a 10-character prefix and, typically, a '.cerber' extension. When encryption is complete, the encryption key is sent to the C2 server and an extortion notice is displayed to the victim. Cerber's notice also offers to decrypt a single file for free in order to show the victim that it works.https://www.checkpoint.com/resources/cerberring/

MalwareDownload_ChinAd

ChinAd is a trojan adware class malware that targets windows based operating systems. Trojan ChinAd is commonly distributed when victims download fake Windows updates or other third party bundle programs. Trojan.ChinAd copies its files to the victim's hard disk and runs itself with a new startup key in registry with name Trojan.ChinAd and a typical value of [randomname].exe. Common after effects of ChinAd infection include displaying of warning messages about corrupted Windows system files, antivirus software disabling, and changes to browser configurations.

http://www.spywaretechs.com/remove-trojan-chinad/

MalwareDownload_Cridex

Cridex is a banking Trojan which, like ZeuS, will harvest information gathered from web sessions. Cridex lures an unsuspecting user into downloading the Trojan through a seemingly legitimate email notification prompting them to click a link. Once a user is infected, the Trojan then is able to steal online banking and email account credentials, and is able to use the victim's online identity to complete browsing activities, including registering new email accounts which are later used to proliferate the Cridex bot.http://community.websense.com/blogs/securitylabs/archive/2012/01/30/trojan-caught-on-camera-shows-captcha-is-still-a-security-issue.aspx

MalwareDownload_CryptoLocker

CryptoLocker is a ransomware Trojan which targets computers running Microsoft Windows, and was first observed by Dell SecureWorks in September 2013. CryptoLocker propagates via infected email attachments, and via an existing botnet; when activated, the malware encrypts certain types of files stored on local and mounted network drives using RSA public-key cryptography, with the private key stored only on the malware's control servers. The malware then displays a message which offers to decrypt the data if a payment (through either Bitcoin or a pre-paid cash voucher) is made by a stated deadline, and threatened to delete the private key if the deadline passes. If the deadline is not met, the malware offered to decrypt data via an online service provided by the malware's operators, for a significantly higher price in Bitcoin.

http://en.wikipedia.org/wiki/CryptoLocker

MalwareDownload_Dridex

Dridex is a banking Trojan that has become one of the most dangerous financial threats in recent years. Dridex is distributed daily by the Necurs botnet through millions of malware laced spam e-mails. It leverages macros in Microsoft Office to compromise a computer and steal banking credentials and other sensitive information. A common attack chain observed throughout May/June of 2017 includes a spam email containing a malicious PDF as the initial vector. The attached PDF then drops and executes a DOCM containing a macro that launches a PowerShell script. The PowerShell fetches an encrypted binary from the C&C which is decrypted to drop and execute a malicious payload.

https://www.fireeye.com/blog/threat-research/2017/05/dridex_and_lockyret.html

MalwareDownload_Dromedan

Dromedan is a trojan horse that targets windows based platforms and downloads threats onto a compromised device via C&C communication. It sends out system information of the compromised device and receives instructions from the C&C. While running, Dromedan can perform several actions including: delete important system files arbitrarily, change browser settings, download malicious payloads from specific URLs and even install key loggers to record keystrokes.http://www.remove-malware-tech.com/post/Useful-Guide-to-Remove-Downloader.Dromedan-from-Your-PC_23_40726.html

MalwareDownload_Dyreza

Dyreza is an online banking malware that is advertised as a spinoff of the infamous ZeuS banking malware. Dyreza variants arrive into users' systems mainly through spammed mails with malicious attachments. The spammed mail itself is almost always tailored to look like an invoice notification or similar to a notification involving banks/financial institutions, while the attachment is invariably a PDF file.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3139/the-dire-implications-of-dyreza

MalwareDownload_Emotet

Emotet is a banking Trojan and credential stealer that is commonly spread through spam emails. The target receives an email and is prompted to follow a link to download a Word document. The Word document then downloads the payload and executes it. Recent version of Emotet have gained the ability to spread through internal networks with worm-like behavior rather than through spam emails.https://www.fidelissecurity.com/threatgeek/2017/07/emotet-takes-wing-spreader

MalwareDownload_FakeAntivirus

The Fake AV Trojan simulates a legitimate anti-virus program, typically stylized as a well-known security program like Windows® Security Center. Fake AV gathers personal data and other information from an infected computer, while simultaneously attempting to sell rogue anti-malware. Users infected with this Fake AV will receive notifications that they are infected with various threats and will be advised that to remove these fake infections, they need to purchase these fake, official sounding anti-malware programs.

http://en.wikipedia.org/wiki/Rogue_security_software

MalwareDownload_Formbook

Formbook is an Infostealer sold both commercially and on the underground market for a relatively cheap price. It is capable of credential theft, keylogging, clipboard monitoring, taking screenshots, among other activities.

https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

MalwareDownload_Gandcrab

GandCrab ransomware was first publicly mentioned by malware researcher David Montenegro (https://twitter.com/CryptoInsane/status/956803455833853952) in January 2018. In July 2018, Gandcrab released version 4. GandCrab encrypted files and added '.GDCB' (version 1), '.CRAB' (version 2 and 3), '.KRAB' (version 4). GandCrab has been known to distributed by Necurs spambot, Grandsoft EK, Magnitude EK, and especially Rig EK.https://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis

MalwareDownload_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for MalwareDownload.

MalwareDownload_Geodo

Related to Crides/Bugat/Feodo, Geodo is a banking Trojan which incorporates an email worm. Once infected, the bot downloads additional functionality to spread itself over email using stolen SMPT credentials.

https://feodotracker.abuse.ch/

MalwareDownload_GlobeImposter

Globeimposter is a ransomware that is typically distributed by malspam attached with malicious javascript downloaders. The downloader retrieves the Globeimposter ransomware payload in the form of an executable. Once executed, the ransomware encrypts files on the victim's device and appends the .crypt extension. Encrypted files are placed in folders along with a ransom note named 'Unable to render embedded object: File (back_files) not found..html'. The ransom note contains instructions to contact a specific mail account in order to retrieve payment instructions and the ransom amount.

https://blog.malwarebytes.com/detections/ransom-globeimposter/

MalwareDownload_Gozi

Discovered in early 2007, Gozi is a banking trojan which has mainly targeted banks and financial services in Spain, Poland, and Japan. It excercises a number of delivery vectors such as URL shortening services to compromised sites or socially engineered emails laced with malicious attachments. After the victim's system has been compromised, Gozi uses dynamic web injection to target information from specific banks. Stolen banking information is then used to cash out the compromised banking accounts with the help of mules. Gozi uses a high degree of automation to optimize mule selection after profiling the victim.

http://www.securityweek.com/gozi-banking-trojan-campaigns-target-global-brands

MalwareDownload_Hancitor

Hancitor is a Trojan downloader which installs other malware such as ransomware and information stealers. It is typically distributed by spam emails that either link to a malicious document or attach one directly. When this document is opened, its embedded macros assemble and execute the Hancitor payload. After infecting the system, Hancitor communicates with a C2 to download and install additional malware. It then continues to monitor the infected system and deliver additional payloads as necessary.

https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/

MalwareDownload_Hawkeye

Sites associated with this Threat Property have been observed distributing the Hawkeye Keylogger for download. This keylogger is commercially available product which attackers have been known to abuse. This malware records keystrokes, recovers passwords cached in browsers; and takes screenshots. The configuration enables the attacker to transfer captured data email, FTP or web panel.https://www.isightpartners.com/2015/06/hawkeye-keylogger-campaigns-affect-multiple-industries

MalwareDownload_Heodo

Heodo is a banking Trojan and successor of Geodo I Emotet (Version C) that first appeared in March 2017. Infection begins when recipients click a masqueraded url or opens an email attachment for a fake invoice embedded with malicious macros. Its primary role is to steal credentials and e-banking information which is subsequently used to access bank accounts of innocent victims. Post-infection, the Trojan targets additional e-mail addresses by sending more malicious emails to known contacts extracted from the victim's email client. In addition to e-mail spreading, Heodo also has internal network propagation capabilities built in, as it scans the network for other computers and infects them by exploiting a weakness around Windows OS based network resources and shares.

http://www.prnewswire.com/news-releases/strains-of-mutant-malware-increasingly-evading-anti-virus-to-rob-bank-accounts-says-akouto-300510641.html

MalwareDownload_IcedID

IcedID is a banking trojan targeting services including payroll portals, banking sites, and e-commerce services. This trojan is quite advanced, with the ability to perform both web injection attacks and redirection attacks to gather a victim’s financial information. The ability to perform both types of attacks places IcedID alongside some of the most advanced modern banking trojans such as Zeus and Dridex.

https://exchange.xforce.ibmcloud.com/collection/Icedid-e1afb90c4217131cca5821d00f841838

MalwareDownload_IoTroop

IoTroop (a.k. IoT Reaper) is a new botnet family targeting IoT devices. Unlike Mirai, which gains access by brute-forcing IoT devices default username/password, IoTroop exploits IoT devices vulnerabilities. According to netlab360 blog post, there are 4 components of the botnet: downloaded, controller, reporter, and loaders. However, from Checkpoint, the bot is self-propagating, which is more reasonable, and they have malicious traffic snapshot to back this up. An infected system contain a modified system file to open a reverse shell back to the C2 using netcat command. The infected devices also attack other vulnerable devices. Currently, there is no evidence of DDoS attacking activities originated from this botnet. According current information, I propose we should have 3 properties listed above. MalwareC2_Iotroop is command and control center which control and send infected devices (bot). MalwareDownload_Iotroop hosts binary sample for bot to download from. And Bot_Iotroop is the infected devices.

https://research.checkpoint.com/new-iot-botnet-storm-coming/

MalwareDownload_Jaff

Launched on May 11, 2017, Jaff is a ransomware variant that shares several characteristics with the Locky ransomware. It is heavily distributed by the Necurs botnet and uses spam e-mail messages laced with malware as its attack vector. During the launch of its initial campaigns, global sensors detected huge numbers of fake invoice malspams with pdf attachments embedded with docm. These documents made connections to the Jaff ransomware payload URL. After payload execution, Jaff encrypts files using AES encryption and appends the .jaff extension. Its payment site has a strong resemblance to Locky's.

http://blog.talosintelligence.com/2017/05/jaff-ransomware.html

MalwareDownload_Locky

Locky Distribution URL. Locky ransomeware uses an encrypted C2 channel and is typically delivered via a downloader in a MS-Office Macro or JavaScript. Once executed, Locky encrypts and renames files with a 16-character prefix o the unique victim ID and a .locky extension. It then displays the extortion notice with instruction for the victim to make payment and receive the decryption key.

https://blog.malwarebytes.org/threat-analysis/2016/03/look-into-locky/

MalwareDownload_Lokibot

Lokibot was first known in 2015 as Windows OS password stealer, cryptocurrency wallet stealer, and keylogger. Recently, there has been observation of Lokibot was forked to work on Android OS.https://www.cyber.nj.gov/threat-profiles/android-malware-variants/lokibot

MalwareDownload_MaliciousApp

An application that runs on a mobile platform created for the sole purpose of conducting fraud. Typically, malicious apps download a form of malware onto the user's mobile device to steal sensitive data or send spam from the device.

MalwareDownload_Malvertising

An advertisement on a website or ad network set up to infect viewers with malware either every time it is seen or at various intervals based on the time or number of hits.

MalwareDownload_Mirai

A second stage downloader for the Mirai botnet. Mirai is an Internet of things bot that infects Linux-based systems. The malware mostly targets Internet accessible cameras and routers. The Mirai botnet has been used in some highly disruptive DDoD attacks that have brought down service providers like OVH and Dyn DNS. The malware infects the IoT devices by trying to remotely log in using a hard-coded dictionary of common factory default usernames and passwords.

https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html

MalwareDownload_Nemucod

Nemucod is a trojan that downloads malware to a compromised computer. Nemucod has been widley observed to be spread through spam or phishing emails that are distributed by botnets such as Necurs. These e-mails contain weaponized attachments such as a zip attachment, which is embedded with the Nemucod downloader. Victims are persuaded to extract the file, unaware that it contains an infected executable JavaScript. If the victim falls for the trap and executes the file, it will create several download URLs that are obfuscated. These download URLs have been observed to drop ransomware, backdoor Trojans, and other malware.

https://www.cisecurity.org/malware-analysis-report-nemucod-ransomware/

MalwareDownload_Pandabanker

Panda Banker is a banking Trojan that is mainly spread via email attachments containing a downloader. It can also be delivered by exploit kits including Angler, Nuclear, and Neutrino. As with many other banking trojans, Panda Banker sends and receives commands from the C&C server. Responses from the C&C come in as obfuscated JSON data which contains URL locations to further download modules and config files for the malware. Panda Banker borrows code from earlier banking trojans like Zeus and generates fraudulent transactions with the support of Automatic Transfer Systems, a type of banking web inject that automates online bank portal actions.

https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market

MalwareDownload_Petya

Petya is a ransomware family, first identified in 2016, which encrypts files on the victim's hard drive as well as overwriting and encrypting the Master Boot Record (MBR) and Master File Table (MFT) of NTFS partitions.

https://en.wikipedia.org/wiki/2017_Petya_cyberattack

MalwareDownload_Proslikefan

First emerged in September 2012, Proslikefan is a JavaScript worm which propagates by copying itself to external drives, mapped network shares, and file-sharing applications. On execution, it contacts remote servers that are either hardcoded into its program or generated by a Domain Generation Algorithm(DGA) to download additional files onto the compromised devices. Proslikefan has been observed to mainly target Brazil, where it was the second most common malware family in Q4 2014.

https://www.f-secure.com/v-descs/worm_js_proslikefan.shtml

MalwareDownload_Qakbot

Qakbot is a multi-component threat that remains prevalent since its first emergence in 2007. Early variants of this malware used constant file names which had the string "qbot" in them and utilized a single layer of encryption for their configuration files. Later variants, however, set the configuration files' attribute to Hidden and used random names for their component files and folders. These also doubled their configuration files' encryption, which made them harder to decrypt and analyze. Qakbot's payloads include malware infection and information theft.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/80/qakbot-a-prevalent-infostealing-malware

MalwareDownload_QuantLoader

Quant Loader is a dropper or downloader type of malware, typically delivered through malicious emails and targets systems running a Windows O/S. As a dropper, Quant Loader is used to download and install additional malware. It has been observed hiding itself in the user AppData directory and adding 'allow' outbound rules to Windows Firewall for loading other malware. It maintains persistence on infected systems by adding autorun registry keys.https://blogs.forcepoint.com/security-labs/quantize-or-capitalize

MalwareDownload_Ransomware

Ransomware is a class of malware which restricts access to the computer system that it infects, and demands a ransom paid to the creator of the malware in order for the restriction to be removed. Some forms of ransomware encrypt files on the system's hard drive, while some may simply lock the system and display messages intended to coax the user into paying.

https://en.wikipedia.org/wiki/Ransomware

MalwareDownload_Shylock

Shylock was a Trojan that would target customers of certain financial institutions. When the infected machine would load the page of a specific bank login page in a web browser, the malware would steal the banking credentials via man-in-the-browser attacks. Afterwards, it would send the information to various C&C servers while receiving additional instructions. Shylock malware explicitly targeted European banks for a majority of its existence but briefly began targeting U.S. Bank before it was disabled.

http://securelist.com/blog/research/64599/shylockcaphaw-malware-trojan-the-overview/

MalwareDownload_Sisron

Sisron is a trojan that is dropped onto a system by another malware or file downloaded by users unknowingly. It steals personal information from the compromised system and also generates unwanted advertisements. Its C&C communication method involves using time-based domain generation algorithm (DGA). Sisron send and receives data from the C&C and at times, downloads additonal malware for secondary infections and persistence.

https://labs.vipre.com/dga-malware-usage-and-known-infections-part-2/

MalwareDownload_SmokeLoader

Smoke Loader is typically downloaded through email attachments attempting to spoof online order receipts. Once installed, Smoke Loader can download and install additional malware and steal login credentials from browser sessions and email clients. Smoke Loader is capable of remaining hidden through bypassing of UAC and disabling antivirus software.http://stopmalvertising.com/rootkits/analysis-of-smoke-loader.html

MalwareDownload_Sphinx

In 2016, Zeus Sphinx mainly targeted banks and Boleto payment services in Brazil and Colombia. More recently in 2017, it shifted its campaign to attack banks primarily based in Canada, Australia and USA. Like many other banking trojans, Sphinx uses man-in-the-middle webinjections to steal banking information initiated by victims. This information is subsequently used to cash out accounts from the victim's own device. Its distribution methods are emails loaded with malicious VBA and malvertising.

https://whitehatcheryl.wordpress.com/2017/01/29/update-zeus-sphinx-trojan-is-back/

MalwareDownload_TaurusProject

Taurus Project is an information stealer offered in the Russian hacking markets and a derivative of Predator the Thief. It became available in April 2020. They use hidden URL downloads in the HTML of an email, as well as trojan attachments that lead to download urls. The actor reuses the hidden URLs (google drive, github, teknik) for a long period of time (we have seen ~60 days so far)

https://blogs.infoblox.com/security/new-malware-variant-project-taurus-infostealer-follows-in-predator-the-thiefs-footprints/

MalwareDownload_TeslaCrypt

TeslaCrypt distribution URL

http://www.kaspersky.com/internet-security-center/threats/teslacrypt

MalwareDownload_TrickBot

Considered Dyreza's successor, the TrickBot banking Trojan has mainly targeted the financial sector including private banks, wealth management firms, investment banking, insurance and annuity companies. Since September 2016, this malware family has been delivered in a number of ways from malvertising campaigns involving Rig Exploit Kit to use of the Necurs botnet. Once deployed, TrickBot downloads malicious modules onto the compromised system to perform man-in-the-browser attacks for credential theft. The bot continues to stay in touch with the C&C via SSL encrypted communication.

https://blogs.forcepoint.com/security-labs/trickbot-spread-necurs-botnet-adds-nordic-countries-its-targets

MalwareDownload_Upatre

Upatre is a downloader commonly distributed via email either as attachments or a link to a remote server. If linked to a remote server, the server will gather system information to determine if the machine is exploitable. The browser will be redirected to a legitimate website if the OS is not supported and a zip file containing the newest variant of Upatre will be prompted for download if the machine is exploitable. Once installed, Upatre will connect to C&C servers and provide system information as well as download additional malware such as Dyreza banking Trojan.

MalwareDownload_Ursnif

Ursnif is a banking trojan that began as a variant of the popular Gozi banking trojan but has since evolved to be a legitimate threat in its own right. It is most frequently distributed through malicious email attachments that purport themselves to be invoices or other important documents. One notable advancement of Ursnif over Gozi is Ursnif's use of redirection attacks to steal sensitive banking information. These attacks redirect users' DNS requests for banking sites to servers controlled by the Ursnif operator before connecting them to the real banking website. This process allows the Ursnif operators to steal the user's credentials without being detected by the bank's anti-fraud mechanisms.

https://securityintelligence.com/ursnif-v3-emerges-targets-australian-bank-customers-with-redirection-attacks/

MalwareDownload_Vawtrak

Vawtrak first made the rounds via attachments to fake shipping notification emails in August 2013. This 2013 variant stole credentials from several Windows email clients, however, more recent Vawtrak variants have expanded their capabilities to include a wider range of theft. Among these capabilities were banking Trojan routines such as stealing banking credentials and credit card information. Vawtrak is noteworthy because its routines have vastly "improved" from simple information theft to stealing banking data from certain banking institutions in Japan. Vawtrak is also notable because its routines make malware cleanup difficult. Vawtrak restricts users from running files related to antivirus software by adding specific registry entries to infected systems.

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/3141/vawtrak-plagues-users-in-japan

MalwareDownload_Vidro

Vidro is a SMS Trojan which targets android based mobile devices. Upon execution, the malware sends SMS messages after gaining access to a number of permissions including 'SEND_SMS' and 'RECEIVE_SMS'. Installation of Vidro is dependant on a user with physical access to the device. Vidro Trojans have been largely distributed on unregulated third party android markets and forums.http://www.armorforandroid.com/protection-center/threat/armor-trojan-vidro/

MalwareDownload_Virut

Virut is a malware botnet that is known to be used for cybercrime activities such as DDoS attacks, spam (in collaboration with the Waledac botnet), fraud, data theft, and pay-per-install activities. It spreads through executable file infection (through infected USB sticks and other media), and more recently, through compromised HTML files (thus infecting vulnerable browsers visiting compromised websites)

http://en.wikipedia.org/wiki/Virut

MalwareDownload_Yahos

Yahos is a computer worm that infects machines connected to the LAN that the infected machine is currently on. The worm is distributed through the Facebook platform. Once infected, the Yahos worm continues to affect other machines on the network and enables them to remotely connect. Yahos also steals sensitive information.

MalwareDownload_ZeroAccess

Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, download more malware, and open a back door on the compromised computer. The primary motivation of this threat is to make money through pay per click advertising. It does this by downloading an application that conducts Web searches and clicks on the results. The threat is also capable of downloading other threats on to the compromised computer, some of which may be Misleading Applications that display bogus information about threats found on the computer and scare the user into purchasing fake antivirus software to remove the bogus threats. It is also capable of downloading updates of itself to improve and/or fix functionality of the threat.

http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

MalwareDownload_Zeus

Zeus is a financial stealing focus malware target Microsoft Widnows OS. It was first detected in 2007. The source code was published in 2010. After infected, it will turn infected machine into a bot in a botnet, and it collects banking account credentials as well. Zeus propagates through malspam and drive-by-download. Drive-by-download usually a compromised machine.https://zeustracker.abuse.ch/index.php

Parked_IDNHomograph

The internationalized domain name (IDN) mechanism allows domain name creators to use Unicode characters for domain labels. Many Unicode characters are visually similar to ASCII characters used in popular authoritative domain names. Illegitimate users often reserve IDN domains that are similar to popular authoritative ASCII domains (e.g.

http://jpmorgan.com

,

http://amazon.com

,

http://google.com

), and then embed dynamically-loaded advertisements on the default page via parking services, an activity known as domain parking. IDN domains generally gather more traffic compared to common parked domains. Malicious actors often use parked IDN domains as a platform to run malicious advertisements.

https://blog.malwarebytes.com/threat-analysis/2017/09/expired-domain-names-and-malvertising/

Parked_Typosquat

Typosquatting is the practice of registring domains that appear to be misspelled due to a natural human typo. Illegitimate users monetize these kinds of domains by embedding dyanmically-loaded advertisements on the default page via parking services, an activity also known as domain parking. Typosquat domains generally gather more traffic compared to common parked domains because of their similar spelling to popular authoritative domains. Malicious actors often use parked typosquats as a platform to run malicious advertisements.

https://blog.malwarebytes.com/threat-analysis/2017/09/expired-domain-names-and-malvertising/

Phishing_COVID19

This property tracks threat actors usage of Covid19 in their malware campaigns as added strings, phishing theme or registered domains. During the Covid19 outbreak threat actors are using this theme to blend with the high traffic of email and news coverage.

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/coronavirus-used-in-spam-malware-file-names-and-malicious-domains

Phishing_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for Phishing.

Phishing_Lookalike

A domain that we or a trusted source have found to be imitating another domain, and associated with phishing activity.

Phishing_Phish

A threat which attempts to steal user credentials by claiming to be the legitimate service.

Phishing_PhishKitComponent

A file, image or post location that supports a phishing attack.

Phishing_Smishing

An indicator that we or a trusted source have assessed to be involved in smishing (phishing via SMS messaging).

Policy_AbusedTLD

A Top Level Domain (.com, .org, etc.) reported as frequently used by cybercriminals for threat activity.

Policy_Bitcoin

Bitcoin is an online payment network. Bitcoins are frequently the currency of choice for criminal activity because currency exchange does not require a third party like a financial institution. Thus, tracking of Bitcoin related data is desirable due to the correlation between Bitcoin and potentially fraudulent activity.

Policy_BogonRFC1122

RFC 1122, specialized address block which refer to source hosts, on 'this' network. Broadcast for 'own' network.

https://tools.ietf.org/html/rfc1122

Policy_BogonRFC1918

RFC 1918, Address Allocation for Private Internets

https://tools.ietf.org/html/rfc1918

Policy_BogonRFC2544

RFC 2544, Benchmarking Methodology for Network Interconnect Devices.https://www.ietf.org/rfc/rfc2544.txt

Policy_BogonRFC3927

RFC 3927, Dynamic Configuration of IPv4 Link-Local Addresses

https://tools.ietf.org/html/rfc3927

Policy_BogonRFC5736

RFC 5736, IANA IPv4 Special Purpose Address Block to support IETF protocol assignments.

https://tools.ietf.org/html/rfc5736

Policy_BogonRFC5737

RFC 5737, IPv4 Address Blocks Reserved for Documentation.

https://tools.ietf.org/html/rfc5737

Policy_BogonRFC6598

RFC 6598, IANA Reserved IPv4 Prefix for Shared Address Space for Carrier Grade NAT (CGN) devices. Used to number interfaces which connect CGN devices to Customer Premises Equipment (CPE)

https://tools.ietf.org/html/rfc6598

Policy_ChatServer

Collection of data relating to known servers/hosts related to ChatServer(s) or Room(s) where suspicious, fraudulent and often criminal activity occurs.

Policy_CountryBlock

Policy based feed that contains IP’s of countries in Eastern Europe and China. These countries are often found in cyber-attacks seeking intellectual property or other sensitive or classified data and stealing credit card or financial information.

Policy_DHCP

A host on the Internet observed running Dynamic Host Configuration Protocol (DHCP) services. DHCP a network protocol that allows an IP address to be automatically assigned by a server.

Policy_DynamicDNS

A method of automatically updating a name server in the Domain Name System (DNS), often in real time, with the active DNS configuration of its configured hostnames, addresses or other information.

Policy_ForumUserBitTorrentContent

Indicators associated with a user participating in BitTorrent content distribution.

Policy_ForumUserCybercrimeHacker

Indicators associated with a user participating in Cybercrime Hacker forums.

Policy_Gambling

Collection of data relating to known servers/hosts related to online gambling.

Policy_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for Policy.

Policy_IDNHomograph

An internationalized domain name (IDN) homograph (a.k.a homoglyph) is a domain easily confused with a target domain. Attackers abuse IDNs by using Unicode characters to create domain names that look similar to the targeted domain. Homograph domains damage the targeted domain's reputation and pose a threat to users that visit them.

https://resources.infosecinstitute.com/a-quick-guide-to-the-idn-homograph-attack/

Policy_IPCheckServices

These services enable the user to obtain information about a particular IP address including the assigned owner; internet service provider; geographic location; and websites, domains or other systems hosted at the IP address. They can provide the real Internet address for users without a direct Internet connection, like those behind a router or NAT.http://www.dnsbl-check.info/

Policy_IRCServer

A host on the Internet observed running Internet Relay Chat (IRC) services. IRC is a protocol for real-time Internet text messaging (chat) or synchronous conferencing. It is mainly designed for group communication in discussion forums, called channels, but also allows one-to-one communication via private message as well as chat and data transfer, including file sharing.

Policy_LookalikeDomains

contains domains that are found to be visually similar (look-alike) with other domains. These domains are composed using methods such as replacing letters with visually confusion ones (e.g. o to 0, l to 1, w to vv), switching to different top level domains (e.g. .com to .cc), among others. These domains are often found in cyber attacks seeking brandjacking, traffic redirection and phishing.

Policy_NCCICwatchlist

Indicator appears on the watchlist from the National Cybersecurity & Communications Integration. Center (NCCIC).https://www.us-cert.gov/nccic

Policy_NewlyObservedDomains

Non-threat indicators for domains which have appeared for the first time in Passive DNS monitoring.

Policy_NewlyObservedHostname

Non-threat indicators for hostnames which have appeared for the first time in in Passive DNS monitoring.

Policy_OFACSanction

Policy based feed that contains IP’s of United States sanctioned countries listed by US Treasury Office of Foreign Assets Control (OFAC). The Treasury Department's Office of Foreign Asset Control (OFAC) administers and enforces economic sanctions imposed by the United States against foreign countries.

https://www.treasury.gov/resource-center/sanctions/Programs/Pages/Programs.aspx

Policy_ParkedDomain

A domain that has been parked for future use without having to host specific content. The domain owner and/or registrar may choose to use the parked domain to generate ad revenue through click traffic.

Policy_Privacy

Non-threat indicators disclosing private information about the device or end user, either in the clear or lightly obfuscated. This is often an application or software that the user knows they are using, but may not be aware that it transmits some potentially private information. This behavior is sometimes referred to as data leakage. This data set is not intended to be exhaustive.

Policy_RansomwarePayment

This domain or IP is used to process payments for Ransomware decryptions. While not inherently infectious, connecting to a Ransomware Payment site is usually the result of a Ransomware infection. Alerting on this property may give IT a way to detect a ransomware infection on their network. This property is included in 'Policy' category because IOCs in the Malware or C2 categories are often blocked, and the payment site may be the only way to recover the files. While Infoblox generally recommends against paying ransom, we believe the customer is the best judge of what course of action is appropriate in dealing with this situation.

https://en.wikipedia.org/wiki/Ransomware

Policy_RemoteAccess

Allows remote access from one computer or network to another over a LAN or the Internet.

Policy_ServingExecutables

The identification of servers/hosts that are engaged in the activity of serving executables.

Policy_SittingDucks

Domain has a lame name server delegation. This domain may be susceptible to a Sitting Ducks DNS hijacking attack.

Policy_SkypeInfrastructure

Skype is a peer-to-peer Internet telephony network owned by Microsoft.

Policy_SuspiciousSSL

Secured Sockets Layer (SSL) encrypts communication between a server and client. When a web server and browser make a secure connection, private data can be transmitted securely online.

Policy_Tracker

Tracker domains allow others to track individual devices on the Internet, by recording their interaction with websites or reading of email. We are including cookies, advertising, email, and other trackers in this property. Cookies are files that save user information, often by the websites visited. Advertising cookies allow companies to track a device and some are established to circumvent ad blockers. Adware indicators are aligned with a piece of software that has been placed on someone’s machine to deliver ads without informed consent, and serves cookies and ads that slow the user’s machine. We may also include dual use domains such as gstatic[.]com. This data set is not intended to be an exhaustive list of trackers, but to provide context for certain domains that may appear suspicious within a network.

Policy_UnsolictedBulkEmail

Non-threat indicators associated with SPAM distribution.

Policy_UnwantedContent

Indicators which do not constitute a threat under typical circumstance, but may be undesirable and not permitted by policy.

Policy_VirtualPrivateNetworking

A Virtual Private Network allows a user to access an organization's private network via a public network.

Proxy_DNST

tunneling domains that can be definitively assigned a _known_ system, e.g., YourFreedom, Desichat, DynamicDNS.https://www.infoworld.com/article/3027195/security/protect-yourself-against-dns-tunneling.html

Proxy_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for Proxy.

Proxy_Kol

Kol is a reverse-proxy service, which is used for "bullet-proof" hosting of criminal sites and malware C&C servers. A reverse-proxy seeks to hide hosted content's true location from observers by funneling requests for the content through an intermediary machine. In the past, infected machines acted as proxy servers between victims and the content, although recently there are indications that alternative proxy servers are being used. The primary concern regarding this threat is network traffic visiting sites hosted via Kol, as it might indicate, for instance, that the machine may be infected with another malware family.

Proxy_MGCOM

A computer system or an application serving as an intermediary for clients, systems, or users requesting data or services from another resource.

https://en.wikipedia.org/wiki/Proxy_server

Proxy_TorExitNode

Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays[9] to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis.

https://en.wikipedia.org/wiki/Tor_(anonymity_network)

Proxy_TorNode

Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays[9] to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis.

https://en.wikipedia.org/wiki/Tor_(anonymity_network)

Proxy_TorRelayNode

Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays[9] to conceal a user's location and usage from anyone conducting network surveillance or traffic analysis.

https://en.wikipedia.org/wiki/Tor_(anonymity_network)

Scam_419

Advance-fee fraud in which the scammer solicits up front payments promising large sums of money. Also known as a Nigerian scam.

Scam_FakeEscrow

Fraud that requests that the victim provide funds to a 3rd party (escrow) service in order to process a transaction of money or goods.

Scam_FakeGiftCard

Selling or distributing major retail gift cards that either have no monetary value or the buyer will never receive.

Scam_FinancialFraud

Monetary scams that promote "Get Rich Quick" schemes (pyramid, Ponzi, etc. or fake donations).

Scam_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for Scam.

Scam_Lottery

Fraud that informs a victim that they've won a prize, usually monetary, and then requests the victim's sensitive information in order to receive the prize or payout.

Scam_Mules

A scam where criminals attempt to recruit individuals with a fake job posting which leads to the individual knowingly or unknowingly becoming involved in criminal activity.

Scam_TechSupport

Scams prompting victims to call, or buy into fake tech support providers/products.

https://en.wikipedia.org/wiki/Technical_support_scam

Scanner_Bruteforcing

A specialized crawler which identifies network endpoints and attacks using sequences of usernames and passwords to determine valid login credentials which permit access.

Scanner_DefaultPassword

A subset of the bruteforce scanners which utilize default passwords to gain access.

Scanner_Generic

A crawler which performs specific test, tasks, or attacks on network endpoints, as determined by the scanner operator. Because the threat landscape is constantly changing, new threat classifications and properties are routinely added to classify indicators that don't fall under any of the following specific properties.

Scanner_Heartbleed

A crawler which tests networked systems for vulnerability to the Heartbleed bug.

https://en.wikipedia.org/wiki/Heartbleed

Scanner_Log4Shell

An indicator associated with a scanner that we or a trusted source have assessed to be involved in Log4Shell exploitation.

Scanner_ServerWebApp

A tool which tests web servers and applications for design weaknesses or vulnerabilities.

http://sectools.org/tag/web-scanners/

Scanner_Shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system. The Shellshock vulnerabilities affect Bash, a program that various Unix-based systems use to execute command lines and command scripts.

http://en.wikipedia.org/wiki/Shellshock_%28software_bug%29

Scanner_SQLInjection

SQL injection is a technique to attack SQL databases, often through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker).

Scanner_SSH

A special case of the bruteforce scanner which identifies system running the Secure Shell Service attacks using sequences of usernames and passwords to determine valid login credentials which permit access.

Sinkhole_Generic

A system where specific network traffic is directed (usually away from its original destination) for different security reasons including analysis, diversion of attacks and detection of anomalous activities. Because the threat landscape is constantly changing, new threat classifications and properties are routinely added to classify indicators that don't fall under any of the following specific properties.

http://whatis.techtarget.com/definition/botnet-sinkhole

Sinkhole_IP

Sinkhole IP addresses are used by sinkholed domains to reroute traffic to a researcher’s infrastructure.

https://www.sans.org/reading-room/whitepapers/dns/paper/33523

Sinkhole_Nameserver

A sinkhole nameserver responds to DNS queries for sinkholed domains to reroute malicious traffic to a researcher’s infrastructure.

https://www.sans.org/reading-room/whitepapers/dns/paper/33523

Sinkhole_SinkholedHost

Sinkholed hosts are IOCs that use known sinkhole infrastructure. A sinkholed host is not a threat, however traffic to one may indicate a network compromise.

https://www.sans.org/reading-room/whitepapers/dns/paper/33523

Spambot_Asprox

Originally used for phishing scams, the Asprox botnet has more recently been known for its use of other bots to discover vulnerable Active Server Pages (ASP) on poorly configured websites. Once the vulnerable ASP is discovered, the bots attempt SQL injection attacks in order to infect the website. The website compromised by Asprox then silently serves exploit code to deliver malware to website visitors. The visitors' now-infected PCs then seek out new vulnerable websites to compromise and the Asprox infection continues to proliferate.http://antivirus.about.com/od/virusdescriptions/p/asprox.htm

Spambot_Bartallex

Host that distributes bartallex macro downloaders. Bartallex is used to download a variety of different pieces of malware.

https://info.phishlabs.com/blog/bartalex

Spambot_Brontok

Host used to spread the brontok malware. Brontok sets up backdor on the infected system and has been used in DDOS attacks in the past. Brontok also has persistence functions to try and prevent the infection from being removed.

https://en.wikipedia.org/wiki/Brontok

Spambot_Cutwail

Cutwail, otherwise known as Pushdo, is a spamming botnet that sends a wide range of campaigns promoting fake pharmaceuticals, designer rip-offs, pirated software, fake ACH notifications, fake Facebook friend requests, fake airline ticket confirmations, as well as other scams. It also sends spam emails with malicious attachments, usually within a Zip file. Cutwail is a spamming engine that lures users to malicious or compromised web sites, triggering a series of exploits that injects the Pushdo Trojan into the user's PC memory.http://www.techrepublic.com/blog/security/pushdocutwail-botnet-second-to-none-when-it-comes-to-spamming/1637

Spambot_Festi

Festi is a spamming botnet that sends e-mails promoting male enhancement pills. The emails lead either to fake Canadian pharmacy or fake jewelry websites, which lure users to landing pages that perform drive-by downloads. Festi is a kernel-based spam botnet with nearly 60,000 bots, whose main intention is to enlarge the botnet. Portions of the botnet are also used for personal fraud or DDoS attacks.

http://www.spamfighter.com/News-13443-Botnet-Festi-Rising-Tremendously.htm

Spambot_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for Spambot.

Spambot_Kelihos

Kelihos is a peer-to-peer botnet with a decentralized method of spreading updates. Because any of the bots can mimic the role of a command server if needed, it can operate even without a main command and control center. Kelihos is a resilient, stealthy botnet that hides the botmaster effectively, protecting the botmaster from discovery and takedown. Kelihos is known for spamming, information stealing, DDoS'ing, as well as for pilfering Bitcoins and electronic wallets.

http://www.darkreading.com/attacks-breaches/its-%28already%29-baaack-kelihos-botnet-rebounds-with-new-variant/d/d-id/1137415?

Spambot_Kovter

Host sending emails with Kovter trojan in the attachments. Kovter has ransomware capabilities and also can make infected systems interact with pay-per-click web ads to generate revenue.

https://phishme.com/kovter-ad-fraud-trojan-now-shipping-locky-ransomware/

Spambot_Lovgate

Host that distributes the Lovgate worm. The worm will continue to spread via email and will set up a backdoor on the infected system. It typically spreads itself via email.

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/W32~Lovgate-F/detailed-analysis.aspx

Spambot_Mydoom

Host that spreads the Mydoom worm. Mydoom sets up a backdoor on the infected system, has DDOS capabilities and blocks the infected machine from contacting known antivirus sites.

https://en.wikipedia.org/wiki/Mydoom

Spambot_Mytob

Host that distributes the Mytob worm. The malware is used to obtain personal finincial information. It targets Microsoft systems and typically spreads itself via email.

http://searchsecurity.techtarget.com/definition/Mytob

Spambot_Netsky

Host that spreads the Netsky worm, it is a competitor of mydoom. It will actively remove mydoom from systems and take its place.

https://en.wikipedia.org/wiki/Netsky_(computer_worm)

Spambot_Razy

Host that distributes Razy ransomware. Razy is a ransomware program that encrypts the infected system and requests payment to unlock the files. Some versions of Razy do not save a decryption key and just destroys files on the infected machine.

https://www.enigmasoftware.com/razyransomware-removal/

Spambot_Slenfbot

Slenfbot is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Slenfbot primarily spreads by luring users to follow links to websites, which contain a malicious payload. Slenfbot propagates via instant messaging applications, removable drives and/or the local network via network shares. The code for Slenfbot appears to be closely managed, which may provide attribution to a single group and/or indicate that a large portion of the code is shared amongst multiple groups.

http://en.wikipedia.org/wiki/Slenfbot

Spambot_Tinba

Host used to distribute the Tinba banking trojan. The trojan monitors network traffic on the infected machine and performs a Man in the Middle attack once traffic to a banking webpage is detected. This allows it to capture the user's banking credentials.

https://en.wikipedia.org/wiki/Tiny_Banker_Trojan

Spambot_Virut

Host used to distribute the virut bot. The Virut bot is used for many types of activities including DDOS attacks, spam, and theft. This is an older botnet, but it has redundant control systems that allow criminals to retake control if their infrastructure is taken down.

https://en.wikipedia.org/wiki/Virut

Spambot_Zbot

Host that distributes the zbot trojan. Zbot is a varient of Zeus banking trojan. The bot uses many stealth techniques to hide itself from antivirus detection. Zeus/Zbot has been used to steal data from government agencies and several large corporations.

https://en.wikipedia.org/wiki/Zeus_(malware)

Suspicious_Behavior

An indicator that we or a trusted source have assessed to be participating in unusual or atypical activity and that we have determined to be a potential threat.

Suspicious_DGA

Domains with this property are found as part of a set generated algorithmically and have no identifiable purpose. They are generally recently registered and often on low reputation hosting providers. These domains are unlikely to have website presence and may be related to user tracking or malware.

Suspicious_EmergentDomain

An emergent domain is recently observed by Infoblox and found to have suspicious properties, including the use of malicious name servers, shared hosting with other suspicious domains, recent registration on highly abused TLDs, anomalies in the domain registration record, and unusual DNS behavior. Emergent domains may be recently registered, updated, or have a notable change in behavior or number of DNS requests. A domain which has expired from this property may be resubmitted at a later time due to a resurgence or change in activity that is found suspicious.

Suspicious_Generic

An indicator that we or a trusted source have associated with anomalous or likely malicious activity that we have not yet been able to categorize.

Suspicious_Log4Shell

An indicator that we or a trusted source have observed to be associated with the exploitation of log4j vulnerabilities CVE-2021-44228 or CVE-2021-45046 which allow for remote code execution (RCE), or the concurrently identified exploit CVE-2021-45105 which allows for a stack overflow attack.

Suspicious_Lookalike

A domain that we or a trusted source have assessed to be imitating another domain, and that we have determined to be a potential threat.

Suspicious_Nameserver

Name servers or their related domains that we or a trusted source have assessed to be participating in unusual or atypical activity and that we have determined to be a potential threat.

Suspicious_Phishing

An indicator that we or a trusted source have assessed to be likely associated with phishing activity.

Suspicious_RDGA

An indicator that is part of a group of registered domains created by a domain generation algorithm (DGA), that is likely to be used now, or in the future, for malicious or illicit activity.

Suspicious_Registration

An indicator that we or a trusted source have associated with anomalous or likely malicious registration. This can include the registrant information, the registrar, timing of the registrant, colocation of the domain with other suspiciously registered domains, or any other characteristic associated with domain registration. It can also include recently registered domains, but is not limited to those.

Suspicious_Spam

An indicator that we or a trusted source have associated to be likely from or associated with suspicious spam.

UncategorizedThreat_BadHostname

Computer system names also known as a Fully Qualified Domain Names (FQDN) which are threat indicators that don't fall under any of the specific classes or properties.

UncategorizedThreat_Generic

Because the threat landscape is constantly changing, new threat classifications and properties are routinely added to classify indicators that don't fall under any of the following specific properties.

Bad

Binary data-DEP

Bot Changer IP

CUTWAIL DOMAIN

CUTWAIL URL

Down

Feed

Fraud-DEP

Index-DEP

Internal ip

Invalid url

Kol Botnet Traffic

KOL DOMAIN

Kol NS Domain List

KOL NS IP

Likely

Local

Local host ip

Malicious IP-DEP

Malware - Koobface-DEP

NXDOMAIN

OK Hostname

Other

Other fraud-DEP

Ours

ParkedClicksite

PotentialWhiteList

Private

Redirect-DEP

Sinkhole

Squatter

Survey-DEP

Suspended Page

Suspicious

Threat

Unknown

Unlikely

Unrated

White list

UnwantedContent_CredentialGathering

The collection of non-sensitive credentials like name, address, phone number, which could potentially be used for abuse.

UnwantedContent_FakePharma

An online retailer selling or distributing controlled prescription drugs without FDA registration. The retailer may steal credit card information during the purchase or sell imitation drugs, putting buyers in danger of serious health complications.

UnwantedContent_Generic

Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under any of the following specific properties for UnwantedContent.

UnwantedContent_OnlineGambling

Data that involves online gambling, which is illegal in the United States.

UnwantedContent_Parasite

A threat where user credentials are collected while claiming to provide a value added service that is potentially malicious and contains target brand(s).

UnwantedContent_Pharma

An online retailer selling or distributing controlled prescription drugs without FDA registration. The retailer may steal credit card information during the purchase or sell imitation drugs, putting buyers in danger of serious health complications.

UnwantedContent_PolicyViolation

Content that has been reported to violate a company's policy (either internal with their employees, or external with their customers).

UnwantedContent_Porn

The distribution or display of pornography.

UnwantedContent_PotentialTM

Content that is potentially infringing upon a client's brand.

UnwantedContent_TMViolation

A violation of a privately owned trademark.

UnwantedContent_UnauthorizedDistribution

The distribution of products in a manner not authorized by the content owners or an authorized representative. This may include fake goods like counterfeit software and apparel or the resale of legitimate merchandise without resale authorization.

WebAppAttack_Bruteforcing

A systematic attack using sequences of usernames and passwords to determine valid login credentials which permit access to the system or network.

http://resources.infosecinstitute.com/popular-tools-for-brute-force-attacks/

WebAppAttack_Generic

Attacks which target weaknesses in web applications, often using overflows, injection, malicious code. Because the threat landscape is constantly changing, each Infoblox classification contains a generic property to classify indicators that don't fall under a specific property.

http://www.computerweekly.com/feature/Web-Application-Attacks-Learning-Guide

WebAppAttack_SQLInjection

A code injection technique used against data-driven web applications by inserting malicious SQL statements into an entry field for execution.

https://en.wikipedia.org/wiki/SQL_injection

WebAppAttack_XSS

An attack which injects a client-side script into a web site that is viewed by other people who become the victim.

http://www.webopedia.com/TERM/X/XSS.html

Whitelist_Generic

A list of data such as email address or domain names which are excluded from blocking actions such as blacklist. Because the threat landscape is constantly changing, new threat classifications and properties are routinely added to classify indicators that don't fall under any of the following specific properties.http://searchexchange.techtarget.com/definition/whitelist

Whitelist_PublicUtility

Entries related to public utilities which should not be blacklisted under typical circumstances.