# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: bisonal, tonto

# Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/

euiro8966.organiccrap.com
games.my-homeip.com
jennifer998.lookin.at
kted56erhg.dynssl.com
hosting.tempors.com

# Reference: https://twitter.com/Vishnyak0v/status/1216689015035977730

etude.servemp3.com

# Reference: https://docs.google.com/spreadsheets/d/1lDzylI6Jymz7EE0agRVUsL3kwmJSRDjXYjr5l5MUOEk/edit#gid=127522608 (# Bisonal)

svyaztulaya.dynamic-dns.net
uacmoscow.com

# Reference: https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html

0906.toh.info
21kmg.my-homeip.net
agent.my-homeip.net
amanser951.otzo.com
applejp.myfw.us
dds.walshdavis.com
dnsdns1.passas.us
emsit.serveirc.com
etude.servemp3.com
euiro8966.organiccrap.com
faceto.uglyas.com
games.my-homeip.com
hansun.serveblog.net
hosting.tempors.com
indbaba.myfw.us
jennifer998.lookin.at
kazama.myfw.us
kfsinfo.byinter.net
kreng.bounceme.net
kted56erhg.dynssl.com
mycount.mrslove.com
navego.serveblog.net
nayana.adultdns.net
shinkhek.myfw.us
since.qpoe.com
usababa.myfw.us
v3net.rr.nu
wew.mymom.info

# Reference: https://asec.ahnlab.com/1298
# Reference: https://twitter.com/vigilantbeluga/status/1235496629811077121
# Reference: https://otx.alienvault.com/pulse/5e612f6d1dadda20c4314b21

imbc.onthewifi.com

# Reference: https://twitter.com/nao_sec/status/1273209439764406272
# Reference: https://app.any.run/tasks/4c751168-358a-49c9-b751-e5b4aad9b060/

offices-update.com

# Reference: https://securitykitten.github.io/2014/11/25/curious-korlia.html
# Reference: https://www.virustotal.com/gui/ip-address/61.90.202.198/relations
# Reference: https://www.virustotal.com/gui/file/dc9f17c87397428089e70aeea5af47f5588460b4ae5b8effb5370dc742eff1cf/detection

http://61.90.202.198
japanbaba.myfw.us
koreamama.myfw.us

# Reference: https://www.virustotal.com/gui/file/13c5eb2c8deaf1b4b51eac782cc1f1a7c64e2ee8a9a12d37c25b45b09524c354/detection

shinkhw.myfw.us

# Reference: https://www.virustotal.com/gui/file/98c59d682da617f993f3d57bb9e3ff076caa7469ddb0701c46715c25c9c0453d/detection

nancyxi.gotdns.org
nothree.myfw.us

# Reference: https://www.virustotal.com/gui/file/80f8c3c2f44dc514500b49adc31b9b4e269ea2604fc09a94d7e4c6bce18223a1/detection

webmaff.dns05.com

# Reference: https://www.virustotal.com/gui/file/83231d8e25f1c8d74aa9eb07f18dca9154323e0f372b29d89a2ce2dcbfad6cf8/detection

shinkhw.organiccrap.com

# Reference: https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/

http://154.223.175.115/chapter1/user.html/
http://154.95.17.145/chapter1/user.html/

# Reference: https://www.ptsecurity.com/ru-ru/research/pt-esc-threat-intelligence/shadowpad-novaya-aktivnost-gruppirovki-winnti/ (Russian, # Bisonal IOC)

g00gleru.wikaba.com

# Reference: https://twitter.com/blu3_team/status/951647866531057665

nubpubwizard.jetos.com
worktrs.wikaba.com

# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 3)

abulasha-banama.onedumb.com
best.indoingwulearn.com
connts.zzux.com
fdods.my03.com
fdtg.dynamic-dns.net
fose.mos2ioa.com
gotomail.ddns.net
gtfd.mos2ioa.com
hellomydog.compress.to
hellomydog.mrface.com
indoingwulearn.com
lucylucy.ninth.biz
misova.mos2ioa.com
mos2ioa.com
mosclar.mrbonus.com
mvp.onedumb.com
nmbpo.com
nubpubwizard.jetos.com
relerc.ddns.net
shuudans.com
stcinet.com
stcnet.ddns.net
svyaztu.indoingwulearn.com
svyaztulaya.dynamic-dns.net
tsahimt.com
tsowe.2waky.com
tube.compress.to
vip.fartit.com
vip.onedumb.com
worktrs.wikaba.com
yandexmedia.serveuser.com

# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 4)

acivo.serveblog.net
adobe-online.com
adoberevise.com
anna111.epac.to
babyhome.lflink.com
babyhome.mefound.com
bluecat.mefound.com
bluesky.jkub.com
chrgeom.system-ns.net
creepbeforeyouwalk.com
developman.ocry.com
doctor-s.dhcp.biz
doctor-s.edns.biz
finance.my-homeip.net
free2015.longmusic.com
freemusic.zzux.com
gedadye.com
gmarket.system-ns.org
home-blog.dynssl.com
hotadobes.com
kakao.myonlineportal.org
lovehome.zzux.com
luckybabys.dnset.com
lucylucy.dynamic-dns.net
media.myonlineportal.net
missca.justdied.com
movie2014.passas.us
music2014.passas.us
officerevise.com
offices-update.com
online-offices.com
redfish.misecure.com
sdkpress.com
serviceonline.otzo.com
tcostream.dhcp.biz
tradekorea.system-ns.org
tvpot.system-ns.org
uacmoscow.com
videoservice.dnset.com
webtvpot.system-ns.org
wikipedia.dnset.com

# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 5)

adobeupdata.zzux.com
adobeupdate.dns04.com
baekmaonline.com
beatidc.com
bravojack.justdied.com
chromeupdate.lflink.com
cnnmirror.com
gmailserverweb.com
havsar.com
lubny23.com
maintenance.baekmaonline.com
news-serverweb.com
prettyrose.justdied.com
shop.beatidc.com
store.beatidc.com
support.baekmaonline.com

# Reference: https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf (# Cluster 6)

bbc.xxxy.info
daum.xxuz.com
daummail.otzo.com
facegooglebook.mrbasic.com
ftp.sshdd.toythieves.com
golfmsdn.com
manage.yesterdayko.com
msdn.ezua.com
organisea.rutrackerbit.com
rutrackerbit.com
search.yesterdayko.com
sshdd.toythieves.com
tknow.squirly.info
yandex.mrface.com
yesterdayko.com

# Reference: https://www.virustotal.com/gui/file/beb8c6dce6088512ef28a4431ad57ffb198bfe0cce2fa0f9442d1bf0a80c19a1/detection
# Reference: https://www.virustotal.com/gui/file/d5da23df6242a672e8fd520db6d91926c7861c685dfb2b4e6b3cda70935af1a1/detection
# Reference: https://www.virustotal.com/gui/file/b6584fe5d4e1c8fbbae108e79e87f8f82999aaae7b225f84cea3c7b37ab56256/detection

search.system-ns.net
ww1.system-ns.net
ww7.system-ns.net
ww12.system-ns.net
/krsy/a.asp

# Reference: https://www.virustotal.com/gui/file/dc9645b7ed1e88442b74be13298afa3d2dcca48e6563c548ce0442140d0246ea/detection

comunity.system-ns.org

# Reference: https://www.virustotal.com/gui/file/d181dc5c6806077378d6951cb3ec67074f0c953b8fde0c9c712331a046d38c8e/detection

jobnate.system-ns.org

# Reference: https://www.virustotal.com/gui/file/969bd3755589e616b8bcf553c7fbad2056a79fcd054edf9594f0ee54256609ac/detection

gomalove.system-ns.org
