# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://otx.alienvault.com/pulse/5c93c4e48312d159728a9d78 # Reference: https://blog.alyac.co.kr/2209 (Korean) maii-daum-net.atwebpages.com nate-on.bug3.com hanmail.membercp.net korea.getenjoyment.net mail.membercp.net /itsme.daum # Reference: https://twitter.com/blackorbird/status/1086970613552447489 safe-naver-mail.pe.hu # Reference: https://twitter.com/blackorbird/status/1113318554563076096 # Reference: https://github.com/blackorbird/APT_REPORT/blob/master/kimsuky/aptnote0403 # Reference: https://blog.alyac.co.kr/2234 (Korean) tcjst.com # Reference: https://twitter.com/blackorbird/status/1118334122592591872 # Reference: https://raw.githubusercontent.com/blackorbird/APT_REPORT/master/kimsuky/Smoke%20Screen.pdf # Reference: https://www.virustotal.com/gui/ip-address/192.186.142.74/relations # Reference: https://otx.alienvault.com/pulse/5cb6e14b2fefc160d9e18b24 http://192.186.142.74 192.186.142.74:81 seoulhobi.biz # Reference: https://twitter.com/RedDrip7/status/1133268937808859136 lovemoney.mypressonline.com # Reference: https://blog.alyac.co.kr/2336 (Korean) # Reference: https://otx.alienvault.com/pulse/5d13373f428cfccd0fa506a6 hellojames.sportsontheweb.net # Generic trails (also can be met in https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/) /expres.php # Reference: https://blog.alyac.co.kr/2347 (Korean) # Reference: https://otx.alienvault.com/pulse/5cffce34469a83ecb23c93db http://202.168.155.156 carolie-svr-v1.16mb.com my-homework.890m.com naver-security-mail.96.lt oeks39402.890m.com filer1.1apps.com filer2.1apps.com kuku675.site11.com kuku79.herobo.com # Reference: https://blog.alyac.co.kr/2389 (Korean) # Reference: https://otx.alienvault.com/pulse/5d14b11389f0f0ece394fab8 atene.myartsonline.com hellojames.sportsontheweb.net nid2-naver-com.medianewsonline.com smalldeal.mypressonline.com # Reference: https://www.anomali.com/blog/suspected-north-korean-cyber-espionage-campaign-targets-multiple-foreign-ministries-and-think-tanks # Reference: https://otx.alienvault.com/pulse/5d5d6f5c5f0e4d2b7f5f3208 # Reference: https://twitter.com/blackorbird/status/1164370375490228224 alone-service.work app-support.work check-up.work com-main.work doc-view.work login-confirm.work member-service.work minner.work short-line.work sub-state.work web-line.work # Reference: https://twitter.com/cyberwar_15/status/1166592637371060226 rnailr.com # Reference: https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-009.pdf # Reference: https://otx.alienvault.com/pulse/5d6d754babe6ca295f94cb1b accounted.top acounts.work ahooc.com alive-user.work alone-service.work app-house.online app-main.site app-support.site app-support.work check-line.site check-operation.site check-up.work client-mobile.work confirm-main.work dounn.net dovvn-mail.com drog-service.com eposcard.co first-state.work gstaticstorage.com heehorse.com hotrnall.co imap-login.com inbox-mail.work inbox-yahoo.com lh-login.com lh-logs.com lh-yahoo.com local-link.work log-yahoo.com login-confirm.site login-confirm.work login-history.pw login-sec.com login-use.com login-yahoo.info logins-yahoo.com mail-down.com mail-inc.work mail-service.win mailseco.com main-line.work main-service.site main-support.work matmiho.com member-service.work message-inbox.work minner.work mobile-device.site mobile-phone.work myprivacy.work net-policies.work old-version.work online-support.work open-auth.work options.work page-view.work phlogin.com profile-setting.work protect-com.work protect-mail.work protect-main.site retry-confirm.com script-main.site sec-line.work sec-live.com set-login.com setting-main.work share-check.site short-line.work sign-in.work srnbc-card.com user-account.link user-accounts.net user-service.link user-service.work viewetherwallet.com wallet-vahoo.com weak-online.work web-info.work web-mind.work web-online.work web-rain.work web-state.work web-store.work yah00.work yrnall.com # Reference: https://twitter.com/JAMESWT_MHT/status/1177115401400016901 # Reference: https://blog.alyac.co.kr/2538 (Korean) # Reference: https://otx.alienvault.com/pulse/5d8dd05bac456c1dade338df joelwisian.com reunionhomesok.com # Reference: https://twitter.com/blackorbird/status/1178497550938034177 eoplus.co.kr/board/pressed/ eoplus.co.kr/board/presset/ # Reference: https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf # Reference: https://otx.alienvault.com/pulse/5d9f541a43c2babf60994786 c-naver.com daum-center.net rrnaver.com udaum.net account-google.member-authorize.com user-manage-center.hol.es user-daum-center.pe.hu user-protect-center.pe.hu naiei-aldiel.16mb.com nid-protect-team.pe.hu nid-management-team.890m.com oeks39402.890m.com vkcxvkweo.96.lt # Reference: https://otx.alienvault.com/pulse/5dac36de0d5134df36b16666 clouds.scienceontheweb.net # Reference: https://twitter.com/spider_girl22/status/1191306963369353216 online---shop.atwebpages.com # Reference: https://blog.alyac.co.kr/2645 (Korean) # Reference: https://otx.alienvault.com/pulse/5de68f93fc4d8a6303a7598b primary-help.esy.es ago2.co.kr/bbs/data/dir/F.php antichrist.or.kr/data/cheditor/dir1/F.php gyjmc.com/board/data/cheditor/dir1/F.php