# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/) # See the file 'LICENSE' for copying permission # Reference: https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/ # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-01-06-malicious-document-targets-pyeongchang-olympics/malicious-document-targets-pyeongchang-olympics.csv 200.122.181.63:443 thlsystems.forfirst.cz ospf1-apac-sg.stickyadstv.com mafra.go.kr.jeojang.ga jeojang.ga nctc.go.kr # Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/?mid=1 # Reference: https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-12-12-operation-sharpshooter-targets-global-defense-critical-infrastructure/operation-sharpshooter-targets-global-defense-critical-infrastructure.csv http://208.117.44.112 http://34.214.99.20/view_style.php 137.74.41.56/board.php kingkoil.com.sg/board.php kingkoil.com.sg/query.php # Reference: https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf # Reference: https://twitter.com/bkMSFT/status/1093109336740642816 llpsearch.com miphomanager.com # Reference: https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/ 071790.000webhostapp.com 7077.000webhostapp.com 881.000webhostapp.com hanbosston.000webhostapp.com vnik.000webhostapp.com a7788.1apps.com attach10132.1apps.com bluemountain.1apps.com filer1.1apps.com s8877.1apps.com files.000 ftp.byethost7.com ftp.byethost10.com webhost.com webmail-koryogroup.com 61.14.210.72:7117 # Reference: https://twitter.com/blackorbird/status/1107214927402418176 # Reference: https://twitter.com/blackorbird/status/1107479347013672960 ddlove.kr/bbs/dta/1 # Reference: https://twitter.com/blackorbird/status/1082553543280680962 ago2.co.kr/bbs/data/dir # Reference: https://twitter.com/blackorbird/status/1100691198346354688 46.29.163.222:9999 # Reference: https://otx.alienvault.com/pulse/5c9a457b3acc7f0eba431c81 # Reference: https://www.recordedfuture.com/scanbox-framework-campaign/ mailshield.ga mail.mailshield.ga monlamlt.com oppo.ml photogram.ga tibct.net tibct.org tracking.dgip.gov.pk # Reference: https://twitter.com/ClearskySec/status/1055404788635103232 # Reference: https://www.clearskysec.com/iec/ host-gv.appspot.com journey-in-israel.com iecr.co iec-co-il.com israelalerts.us israelalert.us pokemonisrael.yolasite.com sourcefarge.net users-management.com ynetnewes.com # Reference: https://twitter.com/ClearskySec/status/971454423548530688 baoin.baotintu.com chinhtri.tourismas.com kinhte.baotintu.com # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-12: Malicious Invoice of Telcel Mexican Telecommunication Company) bambi.sytes.net # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-02-06: Iranian Greenbug targeting against Arab Emirates - Invoice-NO48935.doc) acrobatverify.com # Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-1-1: Campaign targeting Turkey with fake purchase order requests, drops low detection Java malware) gorevleriyok.com # Reference: https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups/ (Chinese) Jospubs.com # Reference: https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ digi-cert.org somtelnetworks.com geotrusts.com secureclientupdate.com digicertweb.com sport-pesa.org itaxkenya.com businessdailyafrica.net infotrak-research.com nairobiwired.com k-24tv.com # Reference: https://twitter.com/blackorbird/status/1132884799310319616 # Reference: http://blogs.360.cn/post/APP_Plugin.html # Reference: https://securelist.com/whos-who-in-the-zoo/85394/ # Reference: https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/24122414/ZooPark_for_public_final_edited.pdf http://5.61.27.154 http://5.61.27.157 http://5.61.27.173 http://91.109.23.175 androidupdaters.com adobeactiveupdates.com adobeactiveupdate.com adobeseupdater.com dlgmail.com dlstube.com dlstubes.com entekhab10.xp3.biz googleupdators.com rhubarb2.com rhubarb3.com solar64.xp3.biz # Reference: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/ # Aliases: brave prince, gold dragon, ghost419 eodo1.000webhostapp.com follow_dai.000webhostapp.com trydai.000webhostapp.com followgho.byethost7.com ink.inkboom.co.kr nid-help-pchange.atwebpages.com # Reference: https://twitter.com/jq0904/status/1137362044271730694 hellojames.sportsontheweb.net # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/advanced-targeted-attack-tools-used-to-distribute-cryptocurrency-miners/ # Reference: https://otx.alienvault.com/pulse/5d0276b98d2d7d679ed51fa2 tenchier.com pilutce.com miniast.com boreye.com # Reference: http://www.issuemakerslab.com/research2/index.html pyeonta.com/board/news/board.asp sdajunghwa.com/admin/data/admindata.asp patentmall.net/goods/goods.asp orentcar.com/rental/sub06.asp # Reference: https://twitter.com/blackorbird/status/1141302473623105536 soportearus.com.co /arus_collect.php # Reference: https://twitter.com/DbgShell/status/1146012416968417280 # Reference: https://research.checkpoint.com/operation-tripoli/ (# Operation Tripoli) aarasid.com/libya/index.html clientstats.epss.org.ly dexter-ly.com dexter-ly.space drpc.duckdns.org forum.myvnc.com kalifhaftar.blogspot.com libyanews111.blogspot.com libya-10.com.ly sirtggp.com/libyanew/index.html # Reference: https://www.anomali.com/blog/multiple-chinese-threat-groups-exploiting-cve-2018-0798-equation-editor-vulnerability-since-late-2018 # Reference: https://otx.alienvault.com/pulse/5d1e0531908ea7d506ce9839 loge.otzo.com vvcxvsdvx.dynamic-dns.net # Reference: https://otx.alienvault.com/pulse/5d23054ff45f6eb94e824460 # Reference: http://blog.ptsecurity.com/2019/07/ironpython-darkly-how-we-uncovered.html # Reference: https://static.ptsecurity.com/phdays/presentations/phdays-9-ironpython-on-the-dark-side-the-silent-trio-from-croatia.pdf http://198.46.182.158 176.105.255.59:8089 konzum.win postahr.online postahr.vip posteitaliane.live # Reference: https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victims/ # Reference: https://github.com/sophoslabs/IoCs/blob/master/Malspam-OtoGonderici # Reference: https://otx.alienvault.com/pulse/5d276b688642da33ba698260 2073.mobi 25665.club 25665.me 33016.club 60431.club 75735.club 77444.club 80001.me 82813.club Jdokdo.ml aetye.ml aghkf.ml atessan.online avrupagoz.online ayanw.ml banage.live basaso.mobi burcutekstil.online cinarterlik.online cnfh.mobi cpaneh.tk ekqff.ml ewouif.gq fazilet.club gelovosaja.club ghtc.mobi gyqey.ml hcsscj.ga hfik.mobi hocoso.mobi hvaycz.cf inssanayi.mobi iquqy.ml jahlq.ml jekarebege.online jjsiu.ml jodaje.mobi johaca.mobi jurugq.host kartalescort.mobi kayaya.mobi kojero.mobi lca.mobi mgw.mobi nafaro.mobi nefal.mobi nehabe.mobi nejoja.mobi nvmdv.ml peindikescort.mobi pqoyruw.ga professional.mobi pvrdn.ml qoloa.ml qyhhy.ml qzitt.ml rimaw.ml rlg.mobi rtrzd.ml selcukecza.online specforce.space supkh.mobi swtaegs.ml tamor.mobi taneketevo.online tgmml.ml turkcall.mobi tzlss.mobi urdnz.cf vazawoweso.online vecoha.mobi vgplb.ml vpewqz.tk walatecaqa.club wdplf.ml whyog.ml wpf.mobi wqplw.ml yepeyowora.online yerago.mobi yklud.ml ynngon.ml yolecafeha.club yomka.ml yuktu.ml zavayo.mobi zayero.mobi zororo.mobi # Reference: https://www.zsis.hr/default.aspx?id=415 176.105.255.59:8089 postahr.vip posteitaliane.live # Reference: https://blog.trendmicro.com/trendlabs-security-intelligence/spam-campaign-targets-colombian-entities-with-custom-proyecto-rat-email-service-yopmail-for-cc/ # Reference: https://otx.alienvault.com/pulse/5d3091d8a6d3522c9d5dcaff http://144.202.19.31 http://95.179.168.23 diangovcomuiscia.com eltiempocomco.com medicosempresa.com # Reference: https://www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/ coolbrowsering.xyz alfapromo.info archivepoisk-zone.info onlinemobsoft.ru anyaaplanet.info decentsite.xyz archivepoisk.info sympleplace.info adsmeneger.club # Reference: https://twitter.com/cyberwar_15/status/1156091180293206016 http://51.254.60.208 # Reference: https://twitter.com/KevinPerlow/status/1156406115472760835 (# tcpihlp) f1.vr.wincloud.com d1.link.outbox.com # Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Unknown/20-08-19/Malware%20analysis%2020-08-19.md # Reference: https://www.virustotal.com/gui/ip-address/167.88.180.148/relations http://167.88.180.148 247up.org apple-net.com mediadomainservice.org renewyourclicks.org siteup-365.org # Reference: https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/ # Reference: https://otx.alienvault.com/pulse/5d5d7094114b8af4a377f676 gmailusercontent.site protect-outlook.com srf-goolge.site # Reference: https://twitter.com/Timele9527/status/1166188375109296128 mmksba.dyndns.org # Reference: https://research.checkpoint.com/the-eye-on-the-nile/ # Reference: https://otx.alienvault.com/pulse/5d95e00256c29a9623c3cc97 arabindex.info drivebackup.co indexmasr.com indexy.org maillogin.live mailsecure.live servegates.com txtips.com weblogin.live # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2014/2014-07-15-targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities.csv asdf.avstore.com.tw asdf.skypetm.com.tw avast.avstore.com.tw avstore.com.tw bluer.avstore.com.tw bz.kimoo.com.tw chanxe.avstore.com.tw gmail.skypetm.com.tw jamessmith.avstore.com.tw mca.avstore.com.tw skypetm.com.tw sophos.skypetm.com.tw star.yamn.net vbnm.skypetm.com.tw zeng.skypetm.com.tw # Reference: https://github.com/advanced-threat-research/IOCs/blob/master/2018/2018-02-02-gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems.csv braveprince.com followgho.byethost7.com nid-help-pchange.atwebpages.com # Reference: https://cyberwarzone.com/massive-collection-rat-backdoors-iraq-syria-free-2-share/ aaaaaaaahmad.no-ip.biz abdillahzraibi.no-ip.biz abdou36.noip.me abevahack123.no-ip.biz ahmad83t.no-ip.biz alaa170.no-ip.org alialzainabe.mooo.com alkator.dns53.biz allal.x64.me anroideex1.noip.me attackerman.ddns.net avg99.does-it.net avira2015.no-ip.biz az4511lon.ddns.net bacoussama.no-ip.biz badboy02.no-ip.biz badrop2ch.zapto.org basel123.no-ip.org bctnra.zapto.org beddass.no-ip.biz bilallchefa.zapto.org cat85.no-ip.org charisma1996.linkpc.net codehacker.no-ip.biz cyberyassine.no-ip.org deekay123.linkpc.net djou233.zapto.org drogbaaa.zapto.org druxyhere.ddns.net een21.hopto.org eliadz.no-ip.biz eshta.linkpc.net facebookchanel.servehalflife.com ferkhwazumar.no-ip.biz fifaorigin123.no-ip.biz firas12345.ddns.net freekali1.no-ip.biz gardien.myq-see.com gmlbooter.no-ip.biz gohakeing.no-ip.org hack-c4.zapto.org hacker.syr.linkpc.net hacker963.myq-see.com hoppyhoppy.ddns.net hoxor121.no-ip.org hussienkahoul.no-ip.biz ibrahem1010.no-ip.biz iibbrr.zapto.org isuero.no-ip.info jado7alassad.ddns.net jaziremanoto.no-ip.org joke2014.no-ip.biz kaikun.mooo.com kakalaw25.ddns.net kakar5.ddns.net kakgwl.no-ip.biz kano.ddns.net khaleeel.no-ip.biz khouyatte.duckdns.org kiim.no-ip.biz killerah.no-ip.biz kimou3939.no-ip.biz king-enutroof.no-ip.biz kingoof.ddns.net koknjkoke.myq-see.com kokopopo2.no-ip.biz kurdboy.zapto.org kurdboy666.noip.me kurdish-hacker.no-ip.org kurdish2000.ddns.net kurdustan.no-ip.biz laid0404.ddns.net loki2.linkpc.net lov3black.no-ip.biz lulzpedia.ddns.net m7tagk.zapto.org mahmoudelmassry.no-ip.biz makarov123.no-ip.org max2015.ddns.net mazamoza.no-ip.biz medknass.ddns.net medoblack.no-ip.biz mghool.no-ip.biz mhamedhc.no-ip.org mi3283.ddns.net mo7trf0.no-ip.biz mohchaiba.no-ip.biz momo321.dnsd.info mozilla.myq-see.com mrman.no-ip.biz mth3protn.ddns.net muhanned.myq-see.com mynjrathost.no-ip.biz n5z.no-ip.biz nabard81.ddns.net nada00.no-ip.biz nash2t.linkpc.net nasreen123.no-ip.biz nilolack.zapto.org nj88.no-ip.biz njrat-dz2.no-ip.biz nmb007.no-ip.biz now-see.publicvm.com ooolll.ddns.net optera.hopto.org rami7733.no-ip.org ramisy.ddns.net raoufraouf.ddns.net rapmorix.no-ip.org roma1996.no-ip.org roy5150.no-ip.biz salmanvegeta.no-ip.biz samermax.no-ip.biz sara31.ddns.net sat2014.zapto.org scorpionjo.linkpc.net sfeer55.no-ip.biz sharazoori.zapto.org sifebuissines.noip.us silent404tmd.no-ip.biz silver13.ddns.net sneakking.myq-see.com syria2016.ddns.net syriano.hack.dnsd.info theblack2015.no-ip.biz thejoe.publicvm.com thekingh.linkpc.net tplinkdbk.ddns.net unknownman13.mooo.com vergilalasad.no-ip.biz vip.all4syrian.com vk1000250.no-ip.biz webmaxot.publicvm.com wejden2014.ddns.net wepspacet.publicvm.com x3rbx.ddns.net xhxh1988.no-ip.org yg4h.no-ip.biz younesmer.myq-see.com zasosna.myq-see.com zasosna.no-ip.org zinebzina.ddns.net zoro2015.ddns.net # Reference: https://twitter.com/blackorbird/status/1194824371904237568 pahealth.info