forked from stamparm/maltrail
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathapt_bisonal.txt
372 lines (315 loc) · 10.3 KB
/
apt_bisonal.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
# Copyright (c) 2014-2025 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission
# Aliases: bisonal, tonto, tontoteam
# CERT-UA: UAC-0018
# Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/
euiro8966.organiccrap.com
games.my-homeip.com
jennifer998.lookin.at
kted56erhg.dynssl.com
hosting.tempors.com
# Reference: https://twitter.com/Vishnyak0v/status/1216689015035977730
etude.servemp3.com
# Reference: https://docs.google.com/spreadsheets/d/1lDzylI6Jymz7EE0agRVUsL3kwmJSRDjXYjr5l5MUOEk/edit#gid=127522608 (# Bisonal)
svyaztulaya.dynamic-dns.net
uacmoscow.com
# Reference: https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html
0906.toh.info
21kmg.my-homeip.net
agent.my-homeip.net
amanser951.otzo.com
applejp.myfw.us
dds.walshdavis.com
dnsdns1.passas.us
emsit.serveirc.com
etude.servemp3.com
euiro8966.organiccrap.com
faceto.uglyas.com
games.my-homeip.com
hansun.serveblog.net
hosting.tempors.com
indbaba.myfw.us
jennifer998.lookin.at
kazama.myfw.us
kfsinfo.byinter.net
kreng.bounceme.net
kted56erhg.dynssl.com
mycount.mrslove.com
navego.serveblog.net
nayana.adultdns.net
shinkhek.myfw.us
since.qpoe.com
usababa.myfw.us
v3net.rr.nu
wew.mymom.info
# Reference: https://asec.ahnlab.com/1298
# Reference: https://twitter.com/vigilantbeluga/status/1235496629811077121
# Reference: https://otx.alienvault.com/pulse/5e612f6d1dadda20c4314b21
imbc.onthewifi.com
# Reference: https://twitter.com/nao_sec/status/1273209439764406272
# Reference: https://app.any.run/tasks/4c751168-358a-49c9-b751-e5b4aad9b060/
offices-update.com
# Reference: https://securitykitten.github.io/2014/11/25/curious-korlia.html
# Reference: https://www.virustotal.com/gui/ip-address/61.90.202.198/relations
# Reference: https://www.virustotal.com/gui/file/dc9f17c87397428089e70aeea5af47f5588460b4ae5b8effb5370dc742eff1cf/detection
http://61.90.202.198
japanbaba.myfw.us
koreamama.myfw.us
# Reference: https://www.virustotal.com/gui/file/13c5eb2c8deaf1b4b51eac782cc1f1a7c64e2ee8a9a12d37c25b45b09524c354/detection
shinkhw.myfw.us
# Reference: https://www.virustotal.com/gui/file/98c59d682da617f993f3d57bb9e3ff076caa7469ddb0701c46715c25c9c0453d/detection
nancyxi.gotdns.org
nothree.myfw.us
# Reference: https://www.virustotal.com/gui/file/80f8c3c2f44dc514500b49adc31b9b4e269ea2604fc09a94d7e4c6bce18223a1/detection
webmaff.dns05.com
# Reference: https://www.virustotal.com/gui/file/83231d8e25f1c8d74aa9eb07f18dca9154323e0f372b29d89a2ce2dcbfad6cf8/detection
shinkhw.organiccrap.com
# Reference: https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/
http://154.223.175.115/chapter1/user.html/
http://154.95.17.145/chapter1/user.html/
# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # Bisonal IOC)
g00gleru.wikaba.com
# Reference: https://twitter.com/blu3_team/status/951647866531057665
nubpubwizard.jetos.com
worktrs.wikaba.com
# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 3)
abulasha-banama.onedumb.com
best.indoingwulearn.com
connts.zzux.com
fdods.my03.com
fdtg.dynamic-dns.net
fose.mos2ioa.com
gotomail.ddns.net
gtfd.mos2ioa.com
hellomydog.compress.to
hellomydog.mrface.com
indoingwulearn.com
lucylucy.ninth.biz
misova.mos2ioa.com
mos2ioa.com
mosclar.mrbonus.com
mvp.onedumb.com
nmbpo.com
nubpubwizard.jetos.com
relerc.ddns.net
shuudans.com
stcinet.com
stcnet.ddns.net
svyaztu.indoingwulearn.com
svyaztulaya.dynamic-dns.net
tsahimt.com
tsowe.2waky.com
tube.compress.to
vip.fartit.com
vip.onedumb.com
worktrs.wikaba.com
yandexmedia.serveuser.com
# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 4)
acivo.serveblog.net
adobe-online.com
adoberevise.com
anna111.epac.to
babyhome.lflink.com
babyhome.mefound.com
bluecat.mefound.com
bluesky.jkub.com
chrgeom.system-ns.net
creepbeforeyouwalk.com
developman.ocry.com
doctor-s.dhcp.biz
doctor-s.edns.biz
finance.my-homeip.net
free2015.longmusic.com
freemusic.zzux.com
gedadye.com
gmarket.system-ns.org
home-blog.dynssl.com
hotadobes.com
kakao.myonlineportal.org
lovehome.zzux.com
luckybabys.dnset.com
lucylucy.dynamic-dns.net
media.myonlineportal.net
missca.justdied.com
movie2014.passas.us
music2014.passas.us
officerevise.com
offices-update.com
online-offices.com
redfish.misecure.com
sdkpress.com
serviceonline.otzo.com
tcostream.dhcp.biz
tradekorea.system-ns.org
tvpot.system-ns.org
uacmoscow.com
videoservice.dnset.com
webtvpot.system-ns.org
wikipedia.dnset.com
# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 5)
adobeupdata.zzux.com
adobeupdate.dns04.com
baekmaonline.com
beatidc.com
bravojack.justdied.com
chromeupdate.lflink.com
cnnmirror.com
gmailserverweb.com
havsar.com
lubny23.com
maintenance.baekmaonline.com
news-serverweb.com
prettyrose.justdied.com
shop.beatidc.com
store.beatidc.com
support.baekmaonline.com
# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 6)
bbc.xxxy.info
daum.xxuz.com
daummail.otzo.com
facegooglebook.mrbasic.com
ftp.sshdd.toythieves.com
golfmsdn.com
manage.yesterdayko.com
msdn.ezua.com
organisea.rutrackerbit.com
rutrackerbit.com
search.yesterdayko.com
sshdd.toythieves.com
tknow.squirly.info
yandex.mrface.com
yesterdayko.com
# Reference: https://www.virustotal.com/gui/file/beb8c6dce6088512ef28a4431ad57ffb198bfe0cce2fa0f9442d1bf0a80c19a1/detection
# Reference: https://www.virustotal.com/gui/file/d5da23df6242a672e8fd520db6d91926c7861c685dfb2b4e6b3cda70935af1a1/detection
# Reference: https://www.virustotal.com/gui/file/b6584fe5d4e1c8fbbae108e79e87f8f82999aaae7b225f84cea3c7b37ab56256/detection
search.system-ns.net
ww1.system-ns.net
ww7.system-ns.net
ww12.system-ns.net
/krsy/a.asp
# Reference: https://www.virustotal.com/gui/file/dc9645b7ed1e88442b74be13298afa3d2dcca48e6563c548ce0442140d0246ea/detection
comunity.system-ns.org
# Reference: https://www.virustotal.com/gui/file/d181dc5c6806077378d6951cb3ec67074f0c953b8fde0c9c712331a046d38c8e/detection
jobnate.system-ns.org
# Reference: https://www.virustotal.com/gui/file/969bd3755589e616b8bcf553c7fbad2056a79fcd054edf9594f0ee54256609ac/detection
gomalove.system-ns.org
# Reference: https://twitter.com/8th_grey_owl/status/1412583883137110020
# Reference: https://www.virustotal.com/gui/ip-address/67.205.76.102/relations
# Reference: https://www.virustotal.com/gui/file/677e697644f7c0d83a30e2daaddb93fc5a4707292b4490e8bf8856e87a7a1af4/detection
bitsshare.com
myblogcloud.com
myforumcloud.com
mynotecloud.com
myschedulecloud.com
# Reference: https://www.virustotal.com/gui/file/b1ee236a36f04ca43d3c8e3ad6255b59e13902688d45ec78babcb046eac9e514/detection
103.231.14.134:443
# Reference: https://twitter.com/h2jazi/status/1537536029250490382
# Reference: https://twitter.com/nao_sec/status/1538857219025817605
# Reference: https://twitter.com/GroupIB_TI/status/1625050738933071873
# Reference: https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/
# Reference: https://www.group-ib.com/blog/tonto-team/
# Reference: https://www.virustotal.com/gui/ip-address/137.220.176.165/relations
# Reference: https://www.virustotal.com/gui/ip-address/64.233.167.99/relations
# Reference: https://www.virustotal.com/gui/file/c7018ee3783f4b2fb19fedc78c59586390efa1b72c907867794bf42141eb767c/detection
# Reference: https://www.virustotal.com/gui/file/7944fa9cbfef2c7d652f032edc159abeaa1fb4fd64143a8fe3b175095c4519f5/detection
# Reference: https://www.virustotal.com/gui/file/ba2c89192643f05e64f49b5cb3513a6a5bbfa719225af3b72c83587b8b774e8d/detection
http://137.220.176.165
103.85.20.194:443
137.220.176.165:443
lingrevelat.com
thresident.com
wooordhunts.com
instructor.giize.com
news.wooordhunts.com
upportteam.lingrevelat.com
supportteam.lingrevelat.com
/xhome.native.page/datareader.php
/siteFiles/index.php?strPageID=
/ru/news/index.php?strPageID=
/ru/order/index.php?strPageID=
# Reference: https://twitter.com/h2jazi/status/1538914969495928838
# Reference: https://www.virustotal.com/gui/file/a56003dc199224113e9c85b0edb2197d4a4af91b15e7d0710873e2ef848c3221/detection
ramblercloud.com
# Reference: https://asec.ahnlab.com/en/51746/
# Reference: https://otx.alienvault.com/pulse/644fbd07a98ffc006a3e71cc
153.234.77.155:8080
45.133.194.135:8080
hairouni.serveblog.net
# Reference: https://twitter.com/h2jazi/status/1555611666343133185
# Reference: https://asec.ahnlab.com/ko/33948/ (Korean)
# Reference: https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf (# TAG-74, TAG74)
# Reference: https://www.virustotal.com/gui/ip-address/92.38.135.212/relations
# Reference: https://otx.alienvault.com/pulse/62729ce9e66ec5fd15790d3a
# Reference: https://www.virustotal.com/gui/file/56f714b1832d0eb58a688c843d417653b1219d3d0b7644049db7b6156b24274b/detection
alleyk.onthewifi.com
anrnet.servegame.com
asheepa.sytes.net
attachdaum.servecounterstrike.com
attachmaildaum.serveblog.net
attachmaildaum.servecounterstrike.com
bizmeka.viewdns.net
bucketnec.bounceme.net
chsoun.serveftp.com
ckstar.zapto.org
daecheol.myvnc.com
eburim.viewdns.net
eduin21.zapto.org
elecinfonec.servehalflife.com
finance.my-homeip.com
foodlab.hopto.org
formsgle.freedynamicdns.net
formsgle.freedynamicdns.org
fresh.servepics.com
global.freedynamicdns.net
global.freedynamicdns.org
hairouni.serveblog.net
hamonsoft.serveblog.net
hanseo1.hopto.org
harvest.my-homeip.net
hometax.onthewifi.com
hwarang.myddns.me
jaminss.viewdns.net
janara.freedynamicdns.org
jeoash.servemp3.com
jstreco.myftp.biz
kanager.bounceme.net
kcgselect.servehalflife.com
kjmacgk.ddnsking.com
kookmina.servecounterstrike.com
ksd22.myddns.me
kumohhic.viewdns.net
kybook.viewdns.net
leader.gotdns.ch
likms.hopto.org
logindaums.ddnsking.com
loginsdaum.viewdns.net
mafolog.serveminecraft.net
mailplug.ddnsking.com
minjoo2.servehttp.com
mintaek.bounceme.net
munjanara.servehttp.com
necgo.serveblog.net
pattern.webhop.me
pixoneer.myvnc.com
plomacy.ddnsking.com
proeso.servehttp.com
prparty.webhop.me
puacgo1.servemp3.com
saevit.servebeer.com
safety.viewdns.net
samgiblue.servegame.com
sarang.serveminecraft.net
satreci.bounceme.net
sejonglog.hopto.org
signga.redirectme.net
skparty.myonlineportal.org
steering.viewdns.net
stjpmsko.serveblog.net
surveymonkey.myddns.me
themiujoo.viewdns.net
tsuago.servehalflife.com
tsuagos.servehalflife.com
unipedu.servebeer.com
visdpaka.servemp3.com
visual.webhop.me
wwl1764.ddnsking.com