# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt19, codoso, c0d0so0, codoso team, deep panda, sunshop group

# Reference: https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html (Network Based Indicators (NBI))

http://104.236.77.169
http://138.68.45.9
http://162.243.143.145
autodiscover.2bunny.com
lyncdiscover.2bunny.com
tk-in-f156.2bunny.com
sfo02s01-in-f2.cloudsend.net

# Reference: https://unit42.paloaltonetworks.com/new-attacks-linked-to-c0d0s0-group/
# Reference: https://www.domaintools.com/resources/blog/domaintools-101-the-art-of-tracking-threat-actors

http://210.181.184.64
http://218.54.139.20
http://42.200.18.194
microsoft-cache.com
supermanbox.org
jbossas.org

# Reference: https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf

ameteksen.com
asconline.we11point.com
assso.net
capstoneturbine.cechire.com
caref1rst.com
careflrst.com
EmpireB1ue.com
extcitrix.we11point.com
facefuture.us
gifas.blogsite.org
gifas.cechire.com
healthslie.com
hrsolutions.we11point.com
icbcqsz.com
kaspersyk.com
me.we11point.com
mycitrix.we11point.com
myhr.we11point.com
oa.ameteksen.com
oa.technical-requre.com
oa.trustneser.com
polarroute.com
prennera.com
savmpet.com
sharepoint-vaeit.com
sinmoung.com
ssl-vaeit.com
ssl-vait.com
topsec2014.com
vipreclod.com
vpn.we11point.com
we11point.com
webmail.kaspersyk.com
webmail.vipreclod.com
wiki-vaeit.com
we11point.com
ysims.com

# Reference: https://attack.mitre.org/wiki/Group/G0009
# Reference: https://krebsonsecurity.com/wp-content/uploads/2015/02/FBI-Flash-Warning-Deep-Panda.pdf

googlewebcache.com
outlookssl.com
images.googlewebcache.com
smtp.outlookssl.com

# Reference: https://twitter.com/unpacker/status/1343143954007482369
# Reference: https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/
# Reference: https://www.virustotal.com/gui/file/8b0877209594dada522e606ebac60ce82ceaa31978e71e7772fd8ae0065d53de/detection

http://106.185.43.96/user/atv.html
google-dash.com
microsoft-cache.com

# Generic

/example/McAltLib.dll
/lifeandstyle/marmalade-paddington-sales-up-making-drinking
/money/ofcom-fines-nuisance-calls
/world/video/shrien-dewani-arrives-uk-murder-trial-collapses-video
