
# Copyright (c) 2014-2020 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: konni, nokki

# Reference: https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/

/./pds/data/upload.php
/./pds/down/
/common/doc
/common/exe
/de/de_includes/mail/yandex.ru/donwload.php
/weget/upload.php
/weget/uploadtm.php

# Reference: https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

kmbr1.nitesbr1.org

# Reference: https://twitter.com/bitsofbinary/status/1121356851759734786
# Reference: https://otx.alienvault.com/pulse/5cc2d732b9b05ddae2d59738

upgradesrv.890m.com

# Reference: https://blog.alyac.co.kr/2347 (Korean)

http://202.168.155.156
naiei-aldiel.16mb.com
naoei3-tosma.96.lt
upgradesrv.890m.com

# Reference: https://twitter.com/Timele9527/status/1139805856009035776

stream.nshc.net

# Reference: https://twitter.com/Timele9527/status/1149501545886519296
# Reference: https://otx.alienvault.com/pulse/5d2ca6c5e6be8b07f9099c55

http://194.124.34.62
http://193.148.16.45
attachment-download.net
download-daum.net
downloader-hanmail.net
downloader-naver.com
eazybilldelivery.com
eazybillkorea.com
filer-download.com
karachi-pk.com
karachi-tan.com
naver-download.com
naverservice.com
online-kor.com
standadbankgroup.com

# Reference: https://twitter.com/cyberwar_15/status/1166592637371060226

app-wallet.com

# Reference: https://blog.alyac.co.kr/2486 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d68ffff718c253183ab84f1

163-mail-vertify.com
attach-download.com
attach-download.net
attach-filedown.net
attachment-download.net
change-pw.com
corkmusicstation.com
down-error.com
download-daum.net
downloader-hanmail.net
downloader-naver.com
fighiting1013.org
filer-download.com
files-download.net
grnaeil.com
hanrnaii.net
intercasher.com
interpuber.com
karachi-pk.com
karachi-tan.com
mail-securiety.com
manage-download.com
manage-downloader.com
naerver.com
nidhelpnaver.com
nuaver.com
rnaeil.com
rnaii.com
rnail-163.com
rnail-inbox.com
rnailb.com
rnailm.com
rnailn.com
rnailo.com
rneail.com
seoulhobi.biz
tjustpassby.it
webrnail.com
webrnail.net

# Reference: https://twitter.com/h4ckak/status/1168524544107134977

upsrv.16mb.com

# Reference: https://blog.alyac.co.kr/2486

handicap.eu5.org

# Reference: https://twitter.com/Rmy_Reserve/status/1175989476155215878

panda2019.eu5.org

# Reference: https://asec.ahnlab.com/1251
# Reference: https://otx.alienvault.com/pulse/5d888b2d81bd27e2849f5054

down1-naver.com
filedownload2.com
tomasresult.com

# Reference: https://blog.alyac.co.kr/2535 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d8dd319bff875c7203a4ff1

clean.1apps.com

# Reference: https://blog.alyac.co.kr/2543 (Korean)
# Reference: https://otx.alienvault.com/pulse/5d932f77c1b4106e0abc73e7

pelham-holles.com

# Reference: https://twitter.com/cyberwar_15/status/1205392858829619201

oaass-torrent.com

# Reference: https://twitter.com/cyberwar_15/status/1205393847372484608

http://2.56.151.8

https://twitter.com/cyberwar_15/status/1205393076425875456

apksbank.com
ondownloadapk.com
freeapksapps.com
murratto.com

# Reference: https://blog.alyac.co.kr/2660 (Korean)
# Reference: https://asec.ahnlab.com/1277 (Korean)
# Reference: https://otx.alienvault.com/pulse/5df35c9471c37675f77f3d2a

down-error2.com
error-hanmail.net
error-naver.com
kan-smiko.com
mallesr.com
nottingham39483.com

# Reference: https://twitter.com/RedDrip7/status/1217662203022598144

firefox-plug.c1.biz
lookyes.c1.biz

# Reference: https://twitter.com/navSi16/status/1217743676455055360
# Reference: https://twitter.com/Timele9527/status/1217751641136304128
# Reference: https://www.virustotal.com/gui/file/107204043717ef14e2439eb938cd9b1e94b62827f772dbb2005773a9ee746b02/detection

win10-ms.c1.biz

# Reference: https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/
# Reference: https://otx.alienvault.com/pulse/5e29bc82175f51b3a3a75891

downplease.c1.biz
downyes.c1.biz

# Reference: https://twitter.com/WaChinYu1/status/1242394804337676288

docview.mygamesonline.org
phpview.mygamesonline.org

# Reference: https://twitter.com/ShadowChasing1/status/1265263606448324608
# Reference: https://twitter.com/ShadowChasing1/status/1265266076599726080

adobeevent.medianewsonline.com
authadobe.medianewsonline.com

# Reference: https://twitter.com/spider_girl22/status/1270933997900578820

resulview.com

# Reference: https://twitter.com/Xxx_8885/status/1272355090473480192
# Reference: https://www.virustotal.com/gui/file/e4656d6eec6fd339f50db2a01a6ab446903761b274afd3440b6d9bdb44cc226a/detection
# Reference: https://www.virustotal.com/gui/file/589c06f6a258a45501a7f1b9501f0c8113bfe1caf3eb5c502652bc62ee7cd3b0/detection
# Reference: https://www.virustotal.com/gui/ip-address/27.255.77.110/relations

http://27.255.77.110
