# Copyright (c) 2014-2024 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: shelltea, powersniff

# Reference: http://blog.morphisec.com/security-alert-fin8-is-back
# Reference: https://otx.alienvault.com/pulse/5cfe69a12dbf3290f262bfba

cdn-amaznet.club
reservecdn.pro
telemetry.host
telemerty-cdn-cloud.host
wsuswin10.us
104.193.252.162:443
37.1.204.87:443

# Reference: https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf

# POWERSNIFF C2 DOMAINS

vseflijkoindex.net
vortexclothings.biz
unkerdubsonics.org
popskentown.com

# SHELLTEA C2 DOMAINS

neofilgestunin.org
verfgainling.net
straubeoldscles.org
olohvikoend.org
menoograskilllev.net
asojinoviesder.org

# Reference: https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d:-discovering-badhatch-and-a-detailed-look-at-fin8's-tooling/
# Reference: https://otx.alienvault.com/pulse/5d372fa407ebb8017386ea36

ashkidiore.org
asilofsen.net
druhanostex.net
kapintarama.net
manrodoerkes.org
moreflorecast.org
nduropasture.net
preploadert.net
subarnakan.org
troxymuntisex.org

# Reference: http://click.broadcasts.visa.com/xfm/?30761/0/0624013ddc6f39785bf56d504f3b812e/
# Reference: https://otx.alienvault.com/pulse/5df2a079d801c25e0a68d90e

diolucktrens.org
fraserdolx.org

# Reference: https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/
# Reference: https://www.virustotal.com/gui/domain/ns.akamai1811.com/relations
# Reference: https://www.virustotal.com/gui/file/2d311d46eb32389faa6ef72ed7126b63401c9071a57cb91a70f4c50815dc82fd/detection

akamai1811.com
ns.akamai1811.com

# Reference: https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf

192-129-189-73.sslip.io
192-129-189-73.sslip.io
198-46-140-52.sslip.io
us-west.com

# Reference: https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation
# Reference: https://otx.alienvault.com/pulse/6103b9a8eaebf348cca49179

104-168-237-21.sslip.io
api-cdn.net
api-cdnw5.net
git-api.com

# Reference: https://twitter.com/Richard_S81/status/1483562403061190663
# Reference: https://www.trendmicro.com/en_us/research/22/a/new-ransomware-spotted-white-rabbit-and-its-evasion-tactics.html

104-168-132-128.nip.io/cae260

# Reference: https://securityaffairs.com/150028/hacking/fin8-citrix-netscaler.html
# Reference: https://otx.alienvault.com/pulse/64edf1fe10794c40a79f86b2
# Reference: https://github.com/sophoslabs/IoCs/blob/master/2023-08-25%20Citrix%20CVE-2023-3519%20attacks.csv

http://45.66.248.189
http://85.239.53.49
45.66.248.189:443
85.239.53.49:443
173-44-141-47.nip.io