A C&C server is identified by malware researchers, clients, or partners to be linked to a phishing campaign or to malware targeting civil society groups; victims may be receiving malicious files through social media and/or chat tools; control servers may also hop from DNS domain to DNS domain
Edit me
Report and Disable Malicious C&C Server
What to do when a C&C server is used to spread malware or for a phishing campaign
Problem
- When a website is being used for a phishing campaign or for spreading malware, it is important to take it down to stop it from harming more people.
- If the C&C server is not disabled, the malware will continue to infect more devices and makes more victims from the targeted civil society community in danger.
- If partner organizations have covert access to the C&C server, they may be able to find out who gets compromised in the community and notify them.
Solution
- Make sure you have the minimal information necessary for this case, at minimum one of the following:
- IP of C&C server (ideally with the port that is used by the C&C server)
- Sample of the malware
- URL pointing to the C&C server
This information can come from the partner or beneficiary sharing information about the C&C server or malicious website.
-
Paste the URL in this page to receive all the contact points from the whois entries.
-
Send to all contacts listed in point 2 an email notifying them of the malicious content found on one of their domains. An example of what this email could look like may be found in Article #209: Template - Phishing Link.
-
Ask the client/partner for permission to share the indicators of compromise with the digital security community.
You may use the template included in Article 261: Disable C&C server - email to client.
- When permission from client to share the indicators has been obtained, add them to MISP following the instructions in Article #355: How to Add an Event to CiviCERT’s MISP Instance.
- To disable the domain, contact immediately:
- The registrar of the malicious domain to disable it
- The hosting provider to disable the IP and malicious content
You may use the following templates when contacting them:
- Template to contact the registrar: Article 259: Disable C&C server - email to registrar of malicious domain
- Template to contact the hosting provider: Article 260: Disable C&C server - email to hosting provider
Comments
Also see Article #258: Advanced Threats Triage Workflow.
Related Articles
- Article #133: How to clean a malware-infected Windows machine
- Article #209: Template - Phishing Link
- Article #258: Advanced Threats Triage Workflow
- Article #259: Disable C&C server - email to registrar of malicious domain
- Article #260: Disable C&C server - email to hosting provider
- Article #261: Disable C&C server - email to client
- Article #355: How to Add an Event to CiviCERT’s MISP Instance