INDICATOR_VALUE | TYPE | ROLE | ATTACK_PHASE | OBSERVED_DATE | DESCRIPTION |
hxxp://hr-suncor[.]com/Suncor_employment_form[.]doc | URL | URL WATCHLIST | DELIVERY | 11/27/2018 | According to open-source analysis, the URL is a spear phishing link that leads to a file containing a malicious macro; the file is designed to look like a legitimate file available on the Suncor Energy website. At the time of analysis, the URL led to file “stat.php” [MD5: ca783981d8cff646eececb652f636a3b]. File is clean according to antivirus engines. |
hxxp://hr-wipro[.]com/Wipro_Working_Conditions[.]doc | URL | URL WATCHLIST | DELIVERY | 1/10/2019 | According to open-source analysis, the URL is a spear phishing link that leads to a malicious file. At the time of analysis, research into the the URL did not result in any file information. |
hr-wipro[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 11/27/2018 | According to open-source analysis, this is a malicious domain masquerading as a legitimate website that hosts job listings. At the time of analysis, the domain resolved to IP “185.161.211.79” which is geolocated in the Netherlands. |
hr-suncor[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 11/27/2018 | According to open-source analysis, this is a malicious domain masquerading as a legitimate website that hosts job listings. At the time of analysis, the domain resolved to IP “185.161.211.79” which is geolocated in the Netherlands. |
0ffice36o[.]com | FQDN | DOMAIN WATCHLIST | C2 | 11/27/2018 | According to open-source analysis, this is a C2 server domain for a remote administration tool (RAT) malware and communicates with the malware over HTTP and DNS. At the time of analysis, the domain resolved to IP “185.20.187.8”, which is geolocated in the Netherlands. |
cloudipnameserver[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “209.99.40.222”, which is geolocated in the USA. |
cloudnamedns[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “209.99.40.223”, which is geolocated in the USA. |
lcjcomputing[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP ” 198.54.117.210″, which is geolocated in the USA. |
mmfasi[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “192.64.147.142”, which is geolocated in the USA. |
Interaland[.]com | FQDN | DOMAIN WATCHLIST | RECONNAISSANCE | 1/11/2019 | According to open-source analysis, this domain is one of a number of actor-owned domains that were used as name servers for hijacked infrastructure. At the time of analysis, this domain resolved to IP “52.58.78.16”, which is geolocated in Germany. |
128[.]199[.]50[.]175 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
139[.]162[.]144[.]139 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
139[.]59[.]134[.]216 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
142[.]54[.]179[.]69 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the USA. |
146[.]185[.]143[.]158 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
178[.]62[.]218[.]244 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
185[.]15[.]247[.]140 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
185[.]161[.]209[.]147 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
185[.]161[.]211[.]72 | IPV4ADDR | IP_WATCHLIST | C2 | 11/27/2018 | According to open-source analysis, this IP supported C2 operations for remote administration tool (RAT) malware. The IP is geolocated in the Netherlands. |
185[.]161[.]211[.]79 | IPV4ADDR | IP_WATCHLIST | C2 | 1/14/2019 | According to open-source analysis, this IP, at some point, resolved to domains “hr-suncor.com” and “hr-wipro.com”. Both domains are considered to be malicious domains masquerading as a legitimate websites that host job listings. The IP is geolocated in the Netherlands and at the time of analysis, resolved to domain “files-sender.com”. |
185[.]174[.]101[.]168 | IPV4ADDR | IP_WATCHLIST | C2 | 1/14/2019 | According to open-source analysis, this IP, at some point, resolved to domains “hr-suncor.com” and “hr-wipro.com”. Both domains are considered to be malicious domains masquerading as a legitimate websites that host job listings. The IP is geolocated in the USA. |
185[.]20[.]184[.]138 | IPV4ADDR | IP_WATCHLIST | C2 | 11/27/2018 | According to open-source analysis, this IP supported C2 operations for remote administration tool (RAT) malware. The IP is geolocated in the Netherlands. |
185[.]20[.]187[.]8 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. At the time of analysis, the IP resolved to domain “0ffice36o.com”. The IP is geolocated in the Netherlands. |
185[.]236[.]78[.]63 | IPV4ADDR | IP_WATC | C2 | 1/14/2019 | According to open-source analysis, this IP was used for establishing a remote desktop protocol (RDP) session over an SSH tunnel. The IP is geolocaed in the Netherlands. |
188[.]166[.]119[.]57 | IPV4ADDR | IP_WATCHLIST | C2 | 10/10/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
199[.]247[.]3[.]191 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
206[.]221[.]184[.]133 | IPV4ADDR | IP_WATCHLIST | C2 | 11/20/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the USA. |
37[.]139[.]11[.]155 | IPV4ADDR | IP_WATCHLIST | C2 | 11/2/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. At the time of analysis, the IP resolved to newly registered domain “anexamination.info” (1/2/2019). |
89[.]163[.]206[.]26 | IPV4ADDR | IP_WATCHLIST | C2 | 1/10/2019 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in Germany. |
82[.]196[.]11[.]127 | IPV4ADDR | IP_WATCHLIST | C2 | 12/1/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands |
82[.]196[.]8[.]43 | IPV4ADDR | IP_WATCHLIST | C2 | 10/1/2018 | According to open-source analysis, this IP is one of many IPs used by malicious actors to redirect legitimate network traffic. The targeted domain would cease to resolve to their normal IP address and would begin resolving to this actor-controlled infrastucture. The IP is geolocated in the Netherlands. |
9c8507a1fd7d2579777723b53fee1f3e | MD5 | FILE HASH WATCHLIST | INSTALLATION | 11/27/2018 | According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server. |
807482efce3397ece64a1ded3d436139 | MD5 | FILE HASH WATCHLIST | INSTALLATION | 11/27/2018 | According to open-source analysis, this file contains malicious macros that lead to the delivery of remote administration tool (RAT) malware. |
C00C9F6EBF2979292D524ACFF19DD306 | MD5 | FILE HASH WATCHLIST | INSTALLATION | 11/27/2018 | According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server. |
D2052CB9016DAB6592C532D5EA47CB7E | MD5 | FILE HASH WATCHLIST | INSTALLATION | 11/27/2018 | According to open-source analysis, this file is a sample of remote adminstration tool (RAT) malware. The malware supports communication over HTTP(S) and DNS with a command and control (C2) server. |