# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: apt34, oilrig, helixkitten

# Reference: https://twitter.com/ClearskySec/status/1026297541581664257

defender-update.com
windowspatch.com
herkhabar.com

# Reference: https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/

rdppath.com
cpuproc.com
acrobatverify.com

# Reference: https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

withyourface.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2018-01-02: Iranian threat group Oilrig Bahrain decoy)

window5.win

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2017-12-10: Oilrig-APT34)
# Reference: https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

applicationframehost.in
anyportals.com
dns-update.club
hpserver.online
mumbai-m.site
proxycheker.pro
ressume.site
opendns-server.com
poison-frog.club
tatavpnservices.com
fireeyeupdate.com
chrome-dns.com
microsoft-publisher.com
dnsupdateservers.net
level3-resolvers.net
mslicensecheck.com
miedafire.com
msoffice365update.com
ntpupdateserver.com
outlookteam.live

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2017-11-22: Oilrig - new old sample)

winodwsupdates.me
nsn1.winodwsupdates.me

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2017-11-16: Iranian Oilrig campaign with C2 coldflys[.]com)

coldflys.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (2017-11-14: ALMA Communicator by Oilrig sample)

prosalar.com

# Reference: https://otx.alienvault.com/pulse/5cb74e5ce1f7e4097ff06255
# Reference: https://misterch0c.blogspot.com/2019/04/apt34-oilrig-leak.html

myleftheart.com

# Reference: https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/
# Reference: https://otx.alienvault.com/pulse/5cc8494e1a6c9c572567ba7f

msoffice-cdn.com
office365-management.com

# Reference: https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
# Reference: https://otx.alienvault.com/pulse/5d3092fc4cd930e8cd6b1f76

http://185.15.247.154
cam-research-ac.com
cdn-edge-akamai.com
offlineearthquake.com

# Reference: https://twitter.com/kyleehmke/status/1151944337598668801

fuktheme.com
goosegoosecome.com
hugebricks.com
offturn.com

# Reference: https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc (# 2018-05-13: PRB-Backdoor and its connection to Oilrig)
# Reference: https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html

akamai-global.com
outl00k.net
linledin.net

# Reference: https://twitter.com/silv0123/status/1166399156853846017

withyourface.com

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/ (Table 3.)

whatzapps.net

# Reference: https://twitter.com/ClearskySec/status/1209055280090288131

lcepos.com

# Reference: https://unit42.paloaltonetworks.com/xhunt-campaign-new-watering-hole-identified-for-credential-harvesting/
# Reference: https://otx.alienvault.com/pulse/5e305bb0fdf782ede5a5405b

6google.com
alforatsystem.com
antivirus-update.top
cloudipnameserver.com
ffconnectivitycheck.com
firewallsupports.com
flowconnectivity.com
googie.email
google-update.com
lowconnectivity.com
microsofte-update.com
sakabota.com

# Reference: https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/

manygoodnews.com

# Reference: https://twitter.com/kyleehmke/status/1222970186162155523

hr-westat.com
westat-hr.com

# Reference: https://twitter.com/GoCyberYourself/status/1224020878146654211

godoycrus.com
wastedsituation.com

# Reference: https://twitter.com/kyleehmke/status/1224193166393344002

lebanonbuilder.com

# Reference: https://twitter.com/kyleehmke/status/1224546670576390145

scoorpion.com

# Reference: https://twitter.com/kyleehmke/status/1227993245025738753

rimaga.com

# Reference: https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf
# Reference: https://otx.alienvault.com/pulse/5e498b13d1107f3801d4b0b0

185.32.178.176:80
93.177.75.180:80
95.211.210.55:80
95.211.213.177:80
95.211.213.168:80
95.211.215.225:80
95.211.104.253:80
95.211.215.225:80

# Reference: https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/

shalaghlagh.tk
go0gIe.com
winodwsupdates.me
update-kernal.net
googleupdate.download
yahoooooomail.com
upgradesystems.info
