# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/ # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-01-06-malicious-document-targets-pyeongchang-olympics/malicious-document-targets-pyeongchang-olympics.csv 200.122.181.63:443 thlsystems.forfirst.cz ospf1-apac-sg.stickyadstv.com mafra.go.kr.jeojang.ga jeojang.ga nctc.go.kr # Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/?mid=1 # Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-12-12-operation-sharpshooter-targets-global-defense-critical-infrastructure/operation-sharpshooter-targets-global-defense-critical-infrastructure.csv http://208.117.44.112 http://34.214.99.20/view_style.php 137.74.41.56/board.php kingkoil.com.sg/board.php kingkoil.com.sg/query.php # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf # Reference: https://twitter.com/bkMSFT/status/1093109336740642816 llpsearch.com miphomanager.com # Reference: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/ 071790.000webhostapp.com 7077.000webhostapp.com 881.000webhostapp.com hanbosston.000webhostapp.com vnik.000webhostapp.com a7788.1apps.com attach10132.1apps.com bluemountain.1apps.com filer1.1apps.com s8877.1apps.com files.000 ftp.byethost7.com ftp.byethost10.com webhost.com webmail-koryogroup.com 61.14.210.72:7117 # Reference: https://twitter.com/blackorbird/status/1107214927402418176 # Reference: https://twitter.com/blackorbird/status/1107479347013672960 ddlove.kr/bbs/dta/1 # Reference: https://twitter.com/blackorbird/status/1082553543280680962 ago2.co.kr/bbs/data/dir # Reference: https://twitter.com/blackorbird/status/1100691198346354688 46.29.163.222:9999 # Reference: https://otx.alienvault.com/pulse/5c9a457b3acc7f0eba431c81 # Reference: https://www.recordedfuture.com/scanbox-framework-campaign/ mailshield.ga mail.mailshield.ga monlamlt.com oppo.ml photogram.ga tibct.net tibct.org tracking.dgip.gov.pk # Reference: https://twitter.com/ClearskySec/status/1055404788635103232 # Reference: https://www.clearskysec.com/iec/ host-gv.appspot.com journey-in-israel.com iecr.co iec-co-il.com israelalerts.us israelalert.us pokemonisrael.yolasite.com sourcefarge.net users-management.com ynetnewes.com # Reference: https://twitter.com/ClearskySec/status/971454423548530688 baoin.baotintu.com chinhtri.tourismas.com kinhte.baotintu.com # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-12: Malicious Invoice of Telcel Mexican Telecommunication Company) bambi.sytes.net # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-06: Iranian Greenbug targeting against Arab Emirates - Invoice-NO48935.doc) acrobatverify.com # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-1-1: Campaign targeting Turkey with fake purchase order requests, drops low detection Java malware) gorevleriyok.com # Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese) Jospubs.com # Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ digi-cert.org somtelnetworks.com geotrusts.com secureclientupdate.com digicertweb.com sport-pesa.org itaxkenya.com businessdailyafrica.net infotrak-research.com nairobiwired.com k-24tv.com # Reference: https://twitter.com/blackorbird/status/1132884799310319616 # Reference: http://blogs.360.cn/post/APP_Plugin.html # Reference: https://securelist.com/whos-who-in-the-zoo/85394/ # Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf http://5.61.27.154 http://5.61.27.157 http://5.61.27.173 http://91.109.23.175 androidupdaters.com adobeactiveupdates.com adobeactiveupdate.com adobeseupdater.com dlgmail.com dlstube.com dlstubes.com entekhab10.xp3.biz googleupdators.com rhubarb2.com rhubarb3.com solar64.xp3.biz # Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ # Aliases: brave prince, gold dragon, ghost419 eodo1.000webhostapp.com follow_dai.000webhostapp.com trydai.000webhostapp.com followgho.byethost7.com ink.inkboom.co.kr nid-help-pchange.atwebpages.com # Reference: https://twitter.com/jq0904/status/1137362044271730694 hellojames.sportsontheweb.net # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/ # Reference: https://otx.alienvault.com/pulse/5d0276b98d2d7d679ed51fa2 tenchier.com pilutce.com miniast.com boreye.com # Reference: http://www.issuemakerslab.com/research2/index.html pyeonta.com/board/news/board.asp sdajunghwa.com/admin/data/admindata.asp patentmall.net/goods/goods.asp orentcar.com/rental/sub06.asp # Reference: https://twitter.com/blackorbird/status/1141302473623105536 soportearus.com.co /arus_collect.php # Reference: https://twitter.com/DbgShell/status/1146012416968417280 # Reference: https://research.checkpoint.com/operation-tripoli/ (# Operation Tripoli) aarasid.com/libya/index.html clientstats.epss.org.ly dexter-ly.com dexter-ly.space drpc.duckdns.org forum.myvnc.com kalifhaftar.blogspot.com libyanews111.blogspot.com libya-10.com.ly sirtggp.com/libyanew/index.html # Reference: https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018 # Reference: https://otx.alienvault.com/pulse/5d1e0531908ea7d506ce9839 loge.otzo.com vvcxvsdvx.dynamic-dns.net # Reference: https://otx.alienvault.com/pulse/5d23054ff45f6eb94e824460 # Reference: http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html # Reference: https://static.ptsecurity.com/phdays/presentations/phdays-9-ironpython-on-the-dark-side-the-silent-trio-from-croatia.pdf http://198.46.182.158 176.105.255.59:8089 konzum.win postahr.online postahr.vip posteitaliane.live # Reference: https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victims/ # Reference: https://github.com/sophoslabs/IoCs/blob/master/Malspam-OtoGonderici # Reference: https://otx.alienvault.com/pulse/5d276b688642da33ba698260 2073.mobi 25665.club 25665.me 33016.club 60431.club 75735.club 77444.club 80001.me 82813.club Jdokdo.ml aetye.ml aghkf.ml atessan.online avrupagoz.online ayanw.ml banage.live basaso.mobi burcutekstil.online cinarterlik.online cnfh.mobi cpaneh.tk ekqff.ml ewouif.gq fazilet.club gelovosaja.club ghtc.mobi gyqey.ml hcsscj.ga hfik.mobi hocoso.mobi hvaycz.cf inssanayi.mobi iquqy.ml jahlq.ml jekarebege.online jjsiu.ml jodaje.mobi johaca.mobi jurugq.host kartalescort.mobi kayaya.mobi kojero.mobi lca.mobi mgw.mobi nafaro.mobi nefal.mobi nehabe.mobi nejoja.mobi nvmdv.ml peindikescort.mobi pqoyruw.ga professional.mobi pvrdn.ml qoloa.ml qyhhy.ml qzitt.ml rimaw.ml rlg.mobi rtrzd.ml selcukecza.online specforce.space supkh.mobi swtaegs.ml tamor.mobi taneketevo.online tgmml.ml turkcall.mobi tzlss.mobi urdnz.cf vazawoweso.online vecoha.mobi vgplb.ml vpewqz.tk walatecaqa.club wdplf.ml whyog.ml wpf.mobi wqplw.ml yepeyowora.online yerago.mobi yklud.ml ynngon.ml yolecafeha.club yomka.ml yuktu.ml zavayo.mobi zayero.mobi zororo.mobi # Reference: https://www.zsis.hr/default.aspx?id=415 176.105.255.59:8089 postahr.vip posteitaliane.live # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/ # Reference: https://otx.alienvault.com/pulse/5d3091d8a6d3522c9d5dcaff http://144.202.19.31 http://95.179.168.23 diangovcomuiscia.com eltiempocomco.com medicosempresa.com # Reference: https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/ coolbrowsering.xyz alfapromo.info archivepoisk-zone.info onlinemobsoft.ru anyaaplanet.info decentsite.xyz archivepoisk.info sympleplace.info adsmeneger.club # Reference: https://twitter.com/cyberwar_15/status/1156091180293206016 http://51.254.60.208 # Reference: https://twitter.com/KevinPerlow/status/1156406115472760835 (# tcpihlp) f1.vr.wincloud.com d1.link.outbox.com # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md # Reference: https://www.virustotal.com/gui/ip-address/167.88.180.148/relations http://167.88.180.148 247up.org apple-net.com mediadomainservice.org renewyourclicks.org siteup-365.org # Reference: https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/ # Reference: https://otx.alienvault.com/pulse/5d5d7094114b8af4a377f676 gmailusercontent.site protect-outlook.com srf-goolge.site # Reference: https://twitter.com/Timele9527/status/1166188375109296128 mmksba.dyndns.org # Reference: https://research.checkpoint.com/the-eye-on-the-nile/ # Reference: https://otx.alienvault.com/pulse/5d95e00256c29a9623c3cc97 arabindex.info drivebackup.co indexmasr.com indexy.org maillogin.live mailsecure.live servegates.com txtips.com weblogin.live # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2014/2014-07-15-targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities.csv asdf.avstore.com.tw asdf.skypetm.com.tw avast.avstore.com.tw avstore.com.tw bluer.avstore.com.tw bz.kimoo.com.tw chanxe.avstore.com.tw gmail.skypetm.com.tw jamessmith.avstore.com.tw mca.avstore.com.tw skypetm.com.tw sophos.skypetm.com.tw star.yamn.net vbnm.skypetm.com.tw zeng.skypetm.com.tw # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-02-gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems.csv braveprince.com followgho.byethost7.com nid-help-pchange.atwebpages.com