Permalink
Cannot retrieve contributors at this time
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
607 lines (537 sloc)
9.74 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Post-Gamaredon-Feb-2022 blog release IoC update | |
| # 16FEB2022 | |
| # note that clustering may not be authoritative | |
| # LNK files | |
| # These were not observed in earlier campaigns and seem to be a new dropper technique | |
| 19888c043afde1f63f25a807192170bc65377e6c89f693ad7af70c0a03a349ed | |
| 60539634489764d9e590433ef632727aa465075befcb4f2d4f60405c0f8e600c | |
| be7d70fb705c74f2de86db2b34f3e7587e5b3ded2d02eaad48fcfee426379372 | |
| 782a8cc34746ca1ffc7cd83a9cc4cd64c60de2e69622a06d2a01792df2e2573c | |
| 7c2c376300c1fc562521196458c2594edac152f1ad944c517927b5a12193980c | |
| 3d80541e59b4bedac6bd275514c0941b1478d62d6ef8b8560720d05a83c0a910 | |
| # Cluster 1 - new domains | |
| maonas.ru | |
| nastorlam.ru | |
| nokitrav.ru | |
| postoral.ru | |
| rebatok.ru | |
| sadotra.ru | |
| lotorsas.ru | |
| diletras.ru | |
| distorhan.ru | |
| filopar.ru | |
| firatoska.ru | |
| gartisop.ru | |
| giltorad.ru | |
| hikorto.ru | |
| jenipot.ru | |
| jistarka.ru | |
| jolopar.ru | |
| koloparto.ru | |
| koutora.ru | |
| mavzolit.ru | |
| milotor.ru | |
| potrahid.ru | |
| shaparto.ru | |
| skripotan.ru | |
| somebodar.ru | |
| turikar.ru | |
| vartogal.ru | |
| bolotran.ru | |
| corintar.ru | |
| drumtar.ru | |
| filikato.ru | |
| fortuskan.ru | |
| giboltar.ru | |
| giroed.ru | |
| golitus.ru | |
| hikorta.ru | |
| holotras.ru | |
| hotilar.ru | |
| kassanfo.ru | |
| kolopart.ru | |
| kolotara.ru | |
| lestori.ru | |
| mafdis.ru | |
| mirtokla.ru | |
| nintara.ru | |
| ringali.ru | |
| tirotar.ru | |
| videotri.ru | |
| vivaldar.ru | |
| # Cluster 1b - linked by WHOIS message-yandex.ru@mail.ru | |
| # Note that this email links to cluster 1 historic origins | |
| # also seen in domains back to 2017 | |
| # These are active registrations as of Feb 2022. Approximately 200 expired not listed. | |
| emailinfo.site | |
| downloadfiles.website | |
| email-inbox.site | |
| ukrnet.site | |
| settings-ukr.net | |
| email-smtp.online | |
| assasysa.online | |
| eyeofra.online | |
| email-info.online | |
| acridoxena.online | |
| hewaniana.online | |
| erythrocephala.online | |
| acantholyda.online | |
| severodoneck.site | |
| admin-gmail.online | |
| account-google.site | |
| file-check.site | |
| sebaer.xyz | |
| triturus.xyz | |
| taphrometopon.xyz | |
| splendensi.xyz | |
| schrenchi.xyz | |
| salamandras.xyz | |
| rutilus.xyz | |
| reticulatus.xyz | |
| pugnax.xyz | |
| molurus.xyz | |
| maculosa.xyz | |
| lineolatum.xyz | |
| glanisa.xyz | |
| cristatus.xyz | |
| chaetodon.xyz | |
| bettar.xyz | |
| mesogonistius.xyz | |
| temporaria.xyz | |
| reinvardtii.xyz | |
| macropodus.xyz | |
| lotari.xyz | |
| fluviatilis.xyz | |
| ridibunda.xyz | |
| ranar.xyz | |
| mystaceus.xyz | |
| arvalis.xyz | |
| carassiusis.xyz | |
| phyllomedusa.xyz | |
| hypochondralis.xyz | |
| gastrotheca.xyz | |
| callichthys.xyz | |
| sclerops.xyz | |
| phrynocephalus.xyz | |
| ophisaurusis.xyz | |
| niloticu.xyz | |
| marsupiata.xyz | |
| jordanella.xyz | |
| igneus.xyz | |
| hylar.xyz | |
| gibelio.xyz | |
| geophagusi.xyz | |
| gasterosteus.xyz | |
| floridae.xyz | |
| crocodilus.xyz | |
| carassiuss.xyz | |
| caimana.xyz | |
| brasiliensisi.xyz | |
| bombinators.xyz | |
| avratus.xyz | |
| auratus.xyz | |
| apusa.xyz | |
| aculeatus.xyz | |
| ua-email.press | |
| rhinoderma.xyz | |
| pipasa.xyz | |
| ophisaurus.xyz | |
| obstetricans.xyz | |
| darvini.xyz | |
| bufol.xyz | |
| bombinator.xyz | |
| apusi.xyz | |
| alytes.xyz | |
| trichopodus.xyz | |
| gavialis.xyz | |
| trichopterus.xyz | |
| leeri.xyz | |
| eversmanni.xyz | |
| scincus.xyz | |
| rhodeus.xyz | |
| nemachilus.xyz | |
| murinus.xyz | |
| misgurnus.xyz | |
| lebetina.xyz | |
| horridus.xyz | |
| gymnodactylus.xyz | |
| griseus.xyz | |
| gangeticus.xyz | |
| fragilis.xyz | |
| fossilis.xyz | |
| crossobamon.xyz | |
| caspius.xyz | |
| berus.xyz | |
| barbatulus.xyz | |
| anguisa.xyz | |
| amarus.xyz | |
| ambystoma.xyz | |
| alligatori.xyz | |
| agamat.xyz | |
| acaciana.xyz | |
| adonisis.xyz | |
| bartli.xyz | |
| achilleas.xyz | |
| camphorat.xyz | |
| acorusis.xyz | |
| willder.xyz | |
| wallich.xyz | |
| vernalisa.xyz | |
| senegala.xyz | |
| precatoriusis.xyz | |
| millefolium.xyz | |
| ferrox.xyz | |
| cynapiuma.xyz | |
| calamusi.xyz | |
| betulina.xyz | |
| barosma.xyz | |
| aethusas.xyz | |
| adonisi.xyz | |
| abrusa.xyz | |
| anamirtat.xyz | |
| althaean.xyz | |
| silvestris.xyz | |
| occidentale.xyz | |
| montanar.xyz | |
| macrotomias.xyz | |
| hypogaeat.xyz | |
| cotular.xyz | |
| cephalotes.xyz | |
| catechur.xyz | |
| arvensis.xyz | |
| anthriscus.xyz | |
| alpiniar.xyz | |
| artemisian.xyz | |
| absinthiuma.xyz | |
| oleifera.xyz | |
| juncear.xyz | |
| hiemalis.xyz | |
| papayana.xyz | |
| kyiv-mail.site | |
| maculatum.xyz | |
| claviceps.xyz | |
| autumnale.xyz | |
| fionar.xyz | |
| eluteria.xyz | |
| coriandrum.xyz | |
| settings-google.site | |
| cyminum.xyz | |
| dracod.xyz | |
| cuminum.xyz | |
| calamuss.xyz | |
| duboisia.xyz | |
| dipterocarpus.xyz | |
| cardamomum.xyz | |
| capillaceum.xyz | |
| buhse.xyz | |
| boiss.xyz | |
| aspidium.xyz | |
| ammoniacum.xyz | |
| blockpost.space | |
| blockpost.website | |
| blockpost.site | |
| gelsemium.xyz | |
| canadensis.website | |
| barbadense.space | |
| abyssinica.website | |
| bitsbitsk.space | |
| bitsbitsi.space | |
| bitsbitsl.space | |
| bitsbitsc.space | |
| bitsbitsd.space | |
| bitsbitsb.space | |
| bitsbitsa.space | |
| metrika.site | |
| ardinvest.site | |
| bitsadmin4.space | |
| email-gov.site | |
| mil-gov.site | |
| bitsadmin3.space | |
| adblocked.space | |
| bitsadmin2.space | |
| # Cluster 4 - from Microsoft MSTIC Report | |
| # comparable to cluster 3 | |
| artisola.ru | |
| lotorgas.ru | |
| gitrostan.ru | |
| # Cluster 5 - from Microsoft MSTIC Report | |
| # Used by PS malware | |
| retarus.ru | |
| calendas.ru | |
| corolain.ru | |
| goloser.ru | |
| alacritas.ru | |
| # Cluster 6 - from Microsoft MSTIC report (older) | |
| # Word docs | |
| acetica.online | |
| mail-check.ru | |
| word-expert.online | |
| # Cluster 7 | |
| # Has links to Cluster 1 but appears to be a unique sub-cluster | |
| libellus.ru | |
| barbatas.online | |
| floundera.online | |
| plaicer.ru | |
| barbatas.ru | |
| ferruminatio.ru | |
| privigna.online | |
| mullus.online | |
| sardanal.ru | |
| puppis.ru | |
| goatfish.ru | |
| libellus.online | |
| mulleti.ru | |
| puppis.online | |
| tectaconstrata.online | |
| barbatam.online | |
| mullus.ru | |
| barbatus.online | |
| ferruminatio.online | |
| sardanal.online | |
| privigna.ru | |
| tectaconstrata.ru | |
| # More cluster 7 from Pivot on WHOIS tank-bank15@yandex.ru +7.9789224690 | |
| solerat.online | |
| plaicer.online | |
| mulleti.online | |
| goatfish.online | |
| flatfisha.online | |
| bonitol.online | |
| # Cluster 8 | |
| # Lone domain - may find links with some more history | |
| neslovo.ru | |
| # Cluster 9 | |
| # Only cluster observed still using some NoIP DDNS domains | |
| # Also not using reg.ru for hosting | |
| coagula.online | |
| phymateus.online | |
| tortunas.ru | |
| upload-dt.hopto.org | |
| upload-lk.hopto.org | |
| up-dot.hopto.org | |
| up-lnk.hopto.org | |
| # Cluster 9 WHOIS Pivot macrobit@inbox.ru +7.9789224559 | |
| abrumpere.online | |
| acanthophis.online | |
| acetobacter.online | |
| achalinus.online | |
| acrididae.online | |
| agaricusa.online | |
| albatrellus.online | |
| alburnus.online | |
| alicui.online | |
| anisoptera.online | |
| anolis.online | |
| antarcticus.online | |
| apaturinae.online | |
| apidaet.online | |
| apoxipodes.online | |
| arachnidas.online | |
| archaicus.online | |
| archiepiscopus.online | |
| arctiidae.online | |
| asilidae.online | |
| asymmetria.online | |
| atlanticos.site | |
| babylont.online | |
| bacilluse.online | |
| biblidinae.online | |
| blaberidae.online | |
| blattodea.online | |
| boniton.site | |
| botaurus.online | |
| brachycera.online | |
| burhinus.online | |
| campestri.online | |
| carinatus.online | |
| carolinensis.online | |
| cerambycidae.online | |
| cereusi.online | |
| chelicerata.online | |
| cichlasoma.online | |
| ciconiat.online | |
| circulas.online | |
| clonorchis.online | |
| clupeonella.online | |
| coeruleus.online | |
| coleopteras.online | |
| coliadinae.online | |
| cololabis.online | |
| conscindere.online | |
| corvusi.online | |
| cultiventris.online | |
| cyrestinae.online | |
| danainae.online | |
| decursio.online | |
| differre.online | |
| difformis.online | |
| dionysi.online | |
| dipteran.online | |
| discedere.online | |
| discouti.online | |
| discrepare.online | |
| disjungere.online | |
| diversiformis.online | |
| dividere.online | |
| email-online.site | |
| empusidae.online | |
| emysi.online | |
| eryxis.online | |
| eurypterida.online | |
| extrado.online | |
| exundare.online | |
| facetum.online | |
| fanniidae.online | |
| fasciolas.online | |
| felineus.online | |
| flatfish.site | |
| flounder.site | |
| fnhn.online | |
| fnrn.online | |
| formosanus.online | |
| fossor.online | |
| goatfish.site | |
| golintras.site | |
| gonepteryx.online | |
| gorimana.site | |
| gov-ua.pw | |
| graeca.online | |
| graphiuma.online | |
| graphosoma.online | |
| gromphadorhina.online | |
| gurmou.site | |
| hakena.online | |
| halibut.site | |
| hamadryas.online | |
| haplochromis.online | |
| heliconiinae.online | |
| hepatica.online | |
| herpetodryas.online | |
| herrings.site | |
| hesperiidae.online | |
| heteroptera.online | |
| heterotypus.online | |
| hierodula.online | |
| hippoglossus.online | |
| hkjn.online | |
| hkol.online | |
| hohlomida.site | |
| holodosiz.site | |
| homoptera.online | |
| horivana.site | |
| hpoi.online | |
| hymenoptera.online | |
| id-metrika.site | |
| inachis.online | |
| incursio.online | |
| incursionibus.online | |
| incursus.online | |
| intumescere.online | |
| irritabilitas.online | |
| jaculusan.online | |
| kallima.online | |
| khjs.online | |
| khpf.online | |
| kjoi.online | |
| labefacere.online | |
| labefactare.online | |
| lacerare.online | |
| latesa.online | |
| lepidopteras.online | |
| libellulat.online | |
| libellulidae.online | |
| limenitidinae.online | |
| limenitis.online | |
| limosa.online | |
| limulusa.online | |
| lophacris.online | |
| lovarinda.site | |
| lusciniar.online | |
| lycaenidae.online | |
| mackereli.site | |
| maniola.online | |
| mantidae.online | |
| mantodeas.online | |
| meandrusas.online | |
| megascolias.online | |
| megatos.online | |
| melitaeas.online | |
| merostomata.online | |
| mesant.online | |
| metcalfas.online | |
| morphinaes.online | |
| morphon.online | |
| mortivan.site | |
| mugil.online | |
| mulletin.site | |
| natrixy.online | |
| nematoceras.online | |
| nilesa.site | |
| niloticus.online | |
| noctuidaes.online | |
| nymphalidaes.online | |
| office360-expert.online | |
| orbicularis.online | |
| ovinus.online | |
| panchax.online | |
| papiliot.online | |
| perchi.site | |
| petulans.online | |
| pfkj.online | |
| pilcharda.site | |
| plaices.site | |
| plantora.online | |
| polyphemus.online | |
| pomfreti.online | |
| portunio.site | |
| rainbowt.site | |
| regionem.online | |
| rufescens.online | |
| rumpere.online | |
| sairanat.online | |
| salmoni.site | |
| saltator.online | |
| saury.site | |
| sauryn.online | |
| scolopaxys.online | |
| scorpiones.online | |
| shaperi.online | |
| silvicol.online | |
| sinensisa.online | |
| soled.site | |
| sphaerion.online | |
| sprata.online | |
| sprata.site | |
| spratan.online | |
| stealheada.site | |
| stellarisa.online | |
| strigigena.online | |
| suaveolens.online | |
| sufflari.online | |
| suffundi.online | |
| suffunditur.online | |
| superfluere.online | |
| superfundi.online | |
| superventus.online | |
| testudos.online | |
| tilapian.online | |
| tnoi.online | |
| trouta.site | |
| tunara.online | |
| turgescere.online | |
| ugorado.online | |
| usa-national.info | |
| variare.online | |
| vincula.online | |
| viraglo.site | |
| vitrokaz.site | |
| who-int.info | |
| xiphosura.online | |
| # Cluster 10 | |
| desandra.ru | |
| votifa.ru | |
| # Cluster 11 nsfocusglobal[.]com/russian-apt-group-gamaredon-launches-phishing-campaign-against-ukrainian-ministry-of-foreign-affairs/ | |
| # Use very different techniques: | |
| # Changes reg[.]ru IPs frequently but all on same /24 and all massively-shared, domain is old (2019) and .fun TLD | |
| # Traced back and confirmed it's linked to old "Cluster 1" infrastructure. | |
| normandia.fun | |