# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt34, oilrig, helixkitten

# Reference: https://twitter.com/ClearskySec/status/1026297541581664257

defender-update.com
windowspatch.com
herkhabar.com

# Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/

rdppath.com
cpuproc.com
acrobatverify.com

# Reference: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

withyourface.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-01-02: Iranian threat group Oilrig Bahrain decoy)

window5.win

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2017-12-10: Oilrig-APT34)
# Reference: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

applicationframehost.in
anyportals.com
dns-update.club
hpserver.online
mumbai-m.site
proxycheker.pro
ressume.site
opendns-server.com
poison-frog.club
tatavpnservices.com
fireeyeupdate.com
chrome-dns.com
microsoft-publisher.com
dnsupdateservers.net
level3-resolvers.net
mslicensecheck.com
miedafire.com
msoffice365update.com
ntpupdateserver.com
outlookteam.live

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2017-11-22: Oilrig - new old sample)

winodwsupdates.me
nsn1.winodwsupdates.me

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2017-11-16: Iranian Oilrig campaign with C2 coldflys[.]com)

coldflys.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2017-11-14: ALMA Communicator by Oilrig sample)

prosalar.com

# Reference: https://otx.alienvault.com/pulse/5cb74e5ce1f7e4097ff06255
# Reference: https://misterch0c.blogspot.com/2019/04/apt34-oilrig-leak.html

myleftheart.com

# Reference: https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/
# Reference: https://otx.alienvault.com/pulse/5cc8494e1a6c9c572567ba7f

msoffice-cdn.com
office365-management.com

# Reference: https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
# Reference: https://otx.alienvault.com/pulse/5d3092fc4cd930e8cd6b1f76

http://185.15.247.154
cam-research-ac.com
cdn-edge-akamai.com
offlineearthquake.com

# Reference: https://twitter.com/kyleehmke/status/1151944337598668801

fuktheme.com
goosegoosecome.com
hugebricks.com
offturn.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (# 2018-05-13: PRB-Backdoor and its connection to Oilrig)
# Reference: https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html

akamai-global.com
outl00k.net
linledin.net

# Reference: https://twitter.com/silv0123/status/1166399156853846017

withyourface.com

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/ (Table 3.)

whatzapps.net

# Reference: https://twitter.com/ClearskySec/status/1209055280090288131

lcepos.com

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/
# Reference: https://otx.alienvault.com/pulse/5e305bb0fdf782ede5a5405b

6google.com
alforatsystem.com
antivirus-update.top
cloudipnameserver.com
ffconnectivitycheck.com
firewallsupports.com
flowconnectivity.com
googie.email
google-update.com
lowconnectivity.com
microsofte-update.com
sakabota.com

# Reference: https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/

manygoodnews.com

# Reference: https://twitter.com/kyleehmke/status/1222970186162155523

hr-westat.com
westat-hr.com

# Reference: https://twitter.com/GoCyberYourself/status/1224020878146654211

godoycrus.com
wastedsituation.com

# Reference: https://twitter.com/kyleehmke/status/1224193166393344002

lebanonbuilder.com

# Reference: https://twitter.com/kyleehmke/status/1224546670576390145

scoorpion.com

# Reference: https://twitter.com/kyleehmke/status/1227993245025738753

rimaga.com

# Reference: https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
# Reference: https://otx.alienvault.com/pulse/5e498b13d1107f3801d4b0b0
# Reference: https://kc.mcafee.com/corporate/index?page=content&id=KB92581&locale=en_US
# Reference: https://www.virustotal.com/gui/file/c6e71d457779d2802f78c7526a65268600ead6bf8dd75ef9bee5af85569336ef/behavior/VirusTotal%20Jujubox
# Reference: https://www.virustotal.com/gui/file/40ba95b54dc4cf0754efcfaeef3bbd71aac65882f3c92b8814a82ea02969da84/behavior/Lastline

185.32.178.176:80
93.177.75.180:80
95.211.210.55:80
95.211.213.177:80
95.211.213.168:80
95.211.215.225:80
95.211.104.253:80
95.211.104.253:443
95.211.104.253:2255

# Reference: https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/

shalaghlagh.tk
go0gIe.com
winodwsupdates.me
update-kernal.net
googleupdate.download
yahoooooomail.com
upgradesystems.info

# Reference: https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ (# RDAT Backdoor)
# Reference: https://otx.alienvault.com/pulse/5f18618ca64fbccf241e8746

acrlee.com
allsecpackupdater.com
digi.shanx.icu
intelligent-finance.site
kizlarsoroyur.com
kopilkaorukov.com
oudax.com
rdmsi.com
sharjatv.com
tprs-servers.eu
wwmal.com

# Reference: https://twitter.com/kyleehmke/status/1305342438479933442

greenkeyllc-projects.com
infopulsejobs.com

# Reference: https://twitter.com/ShadowChasing1/status/1306780216384258049
# Reference: https://www.virustotal.com/gui/file/0ee32e3ea3d83da9df6317d7c8c539f0f3622af82ef242d74fdca1e5d4ee427f/detection

windowscredcity.com

# Reference: https://twitter.com/kyleehmke/status/1332141973403291648

careers-ntiva.com

# Reference: https://twitter.com/kyleehmke/status/1332716197188661248

klwebsrv.com

# Reference: https://www.domaintools.com/resources/blog/identifying-critical-infrastructure-targeting-through-network-creation
# Reference: https://otx.alienvault.com/pulse/5fcfc04c753344dd65c6135d

ababab.biz
alcirineos.com
amazon-loveyou.com
anhuisiafu.com
bargertextiles.com
berqertextiles.com
boardexecutivemanagement.com
boardsexecutives.com
careers-ntiva.com
cererock.com
chinaconstructioncorp.com
clearinghouseinternational.com
connect-roofing.com
cornerstoneconect.com
exmngt.com
groupsexecutive.com
hoganlouells.com
hscminkjet.com
huopay.top
indeptheva.com
jiabolianjie0.com
jinkangpu.co
jlrootfile.com
kent-lawfirm.net
klwebsrv.com
lavalingroup.com
mngtboard.com
oculus-au.info
pet188.biz
petrochinas.com
renrenbaowang.com
renrenbaowang.net
stagmein.pl
superrnax.com
svn-stone.com
us-customs.org
virtual-slots.com
virtualcaresadvisor.com
wilsonconts.com
wiqzi.com
zj-tunq.com
iafflocal290.org/sapm/Poland/china.php

# Reference: https://twitter.com/kyleehmke/status/1338907878455963648

donotfollowmeass.com

# Reference: https://twitter.com/kyleehmke/status/1339410533410369537

acceptplan.com
confusedtown.com
importantgate.com

# Reference: https://twitter.com/kyleehmke/status/1340304704589492225

crucialanswer.com
endlesspromises.com
forecasterman.com
hopeisstamina.com
unsecuredstorage.com

# Reference: https://twitter.com/kyleehmke/status/1349041310704029701

severalfissures.com

# Reference: https://twitter.com/kyleehmke/status/1359828105804869634

pluginmain.com

# Reference:  https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
# Reference: https://otx.alienvault.com/pulse/606f347aadebd8f4dd043ac9

sarmsoftware.com

# Reference: https://twitter.com/AnonySecAgency/status/1405451968374444035
# Reference: https://www.virustotal.com/gui/file/1f47770cc42ac8805060004f203a5f537b7473a36ff41eabb746900b2fa24cc8/detection
# Reference: https://www.virustotal.com/gui/file/cb00ee3f246a3d3af6ba4f97546a39090a55dd8312b8531bd99efa353e267887/detection
# Reference: https://www.virustotal.com/gui/file/f91c5250b33fc5f95495c5e3d63b5fde7ca538178feb253322808b383a26599d/detection

mail.army.gov.lb

# Reference: https://www.virustotal.com/gui/file/08261ed40e21140eb438f16af0233217c701d9b022dce0a45b6e3e1ee2467739/detection

akastatus.com
yciwftaie66jstpmds5sqtahecnue5we.dnsstatus.org
yciwcgakeqowsbrieq1sqtahecq96qca.dnsstatus.org
yciwftaketowstrmehpsqtahecnuetwb.dnsstatus.org
yciwstrnecpwebaletpmqtahecnuec5d.dnsstatus.org
yciwztanet1kcpnjds1wepwacqmz6frgxqlzutrxsmuux.defenderlive.com
yciwfgpmeq5wstpke6psqtahecnue5we.defenderlive.com
yciwfgroetpwetaletomqtahecq96qca.defenderlive.com
yciwzbrue66jsbaoespsqtahecnuetwb.defenderlive.com
