/
2022_02_Gamaredon_UPDATE.txt
607 lines (537 loc) · 9.74 KB
/
2022_02_Gamaredon_UPDATE.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
# Post-Gamaredon-Feb-2022 blog release IoC update
# 16FEB2022
# note that clustering may not be authoritative
# LNK files
# These were not observed in earlier campaigns and seem to be a new dropper technique
19888c043afde1f63f25a807192170bc65377e6c89f693ad7af70c0a03a349ed
60539634489764d9e590433ef632727aa465075befcb4f2d4f60405c0f8e600c
be7d70fb705c74f2de86db2b34f3e7587e5b3ded2d02eaad48fcfee426379372
782a8cc34746ca1ffc7cd83a9cc4cd64c60de2e69622a06d2a01792df2e2573c
7c2c376300c1fc562521196458c2594edac152f1ad944c517927b5a12193980c
3d80541e59b4bedac6bd275514c0941b1478d62d6ef8b8560720d05a83c0a910
# Cluster 1 - new domains
maonas.ru
nastorlam.ru
nokitrav.ru
postoral.ru
rebatok.ru
sadotra.ru
lotorsas.ru
diletras.ru
distorhan.ru
filopar.ru
firatoska.ru
gartisop.ru
giltorad.ru
hikorto.ru
jenipot.ru
jistarka.ru
jolopar.ru
koloparto.ru
koutora.ru
mavzolit.ru
milotor.ru
potrahid.ru
shaparto.ru
skripotan.ru
somebodar.ru
turikar.ru
vartogal.ru
bolotran.ru
corintar.ru
drumtar.ru
filikato.ru
fortuskan.ru
giboltar.ru
giroed.ru
golitus.ru
hikorta.ru
holotras.ru
hotilar.ru
kassanfo.ru
kolopart.ru
kolotara.ru
lestori.ru
mafdis.ru
mirtokla.ru
nintara.ru
ringali.ru
tirotar.ru
videotri.ru
vivaldar.ru
# Cluster 1b - linked by WHOIS message-yandex.ru@mail.ru
# Note that this email links to cluster 1 historic origins
# also seen in domains back to 2017
# These are active registrations as of Feb 2022. Approximately 200 expired not listed.
emailinfo.site
downloadfiles.website
email-inbox.site
ukrnet.site
settings-ukr.net
email-smtp.online
assasysa.online
eyeofra.online
email-info.online
acridoxena.online
hewaniana.online
erythrocephala.online
acantholyda.online
severodoneck.site
admin-gmail.online
account-google.site
file-check.site
sebaer.xyz
triturus.xyz
taphrometopon.xyz
splendensi.xyz
schrenchi.xyz
salamandras.xyz
rutilus.xyz
reticulatus.xyz
pugnax.xyz
molurus.xyz
maculosa.xyz
lineolatum.xyz
glanisa.xyz
cristatus.xyz
chaetodon.xyz
bettar.xyz
mesogonistius.xyz
temporaria.xyz
reinvardtii.xyz
macropodus.xyz
lotari.xyz
fluviatilis.xyz
ridibunda.xyz
ranar.xyz
mystaceus.xyz
arvalis.xyz
carassiusis.xyz
phyllomedusa.xyz
hypochondralis.xyz
gastrotheca.xyz
callichthys.xyz
sclerops.xyz
phrynocephalus.xyz
ophisaurusis.xyz
niloticu.xyz
marsupiata.xyz
jordanella.xyz
igneus.xyz
hylar.xyz
gibelio.xyz
geophagusi.xyz
gasterosteus.xyz
floridae.xyz
crocodilus.xyz
carassiuss.xyz
caimana.xyz
brasiliensisi.xyz
bombinators.xyz
avratus.xyz
auratus.xyz
apusa.xyz
aculeatus.xyz
ua-email.press
rhinoderma.xyz
pipasa.xyz
ophisaurus.xyz
obstetricans.xyz
darvini.xyz
bufol.xyz
bombinator.xyz
apusi.xyz
alytes.xyz
trichopodus.xyz
gavialis.xyz
trichopterus.xyz
leeri.xyz
eversmanni.xyz
scincus.xyz
rhodeus.xyz
nemachilus.xyz
murinus.xyz
misgurnus.xyz
lebetina.xyz
horridus.xyz
gymnodactylus.xyz
griseus.xyz
gangeticus.xyz
fragilis.xyz
fossilis.xyz
crossobamon.xyz
caspius.xyz
berus.xyz
barbatulus.xyz
anguisa.xyz
amarus.xyz
ambystoma.xyz
alligatori.xyz
agamat.xyz
acaciana.xyz
adonisis.xyz
bartli.xyz
achilleas.xyz
camphorat.xyz
acorusis.xyz
willder.xyz
wallich.xyz
vernalisa.xyz
senegala.xyz
precatoriusis.xyz
millefolium.xyz
ferrox.xyz
cynapiuma.xyz
calamusi.xyz
betulina.xyz
barosma.xyz
aethusas.xyz
adonisi.xyz
abrusa.xyz
anamirtat.xyz
althaean.xyz
silvestris.xyz
occidentale.xyz
montanar.xyz
macrotomias.xyz
hypogaeat.xyz
cotular.xyz
cephalotes.xyz
catechur.xyz
arvensis.xyz
anthriscus.xyz
alpiniar.xyz
artemisian.xyz
absinthiuma.xyz
oleifera.xyz
juncear.xyz
hiemalis.xyz
papayana.xyz
kyiv-mail.site
maculatum.xyz
claviceps.xyz
autumnale.xyz
fionar.xyz
eluteria.xyz
coriandrum.xyz
settings-google.site
cyminum.xyz
dracod.xyz
cuminum.xyz
calamuss.xyz
duboisia.xyz
dipterocarpus.xyz
cardamomum.xyz
capillaceum.xyz
buhse.xyz
boiss.xyz
aspidium.xyz
ammoniacum.xyz
blockpost.space
blockpost.website
blockpost.site
gelsemium.xyz
canadensis.website
barbadense.space
abyssinica.website
bitsbitsk.space
bitsbitsi.space
bitsbitsl.space
bitsbitsc.space
bitsbitsd.space
bitsbitsb.space
bitsbitsa.space
metrika.site
ardinvest.site
bitsadmin4.space
email-gov.site
mil-gov.site
bitsadmin3.space
adblocked.space
bitsadmin2.space
# Cluster 4 - from Microsoft MSTIC Report
# comparable to cluster 3
artisola.ru
lotorgas.ru
gitrostan.ru
# Cluster 5 - from Microsoft MSTIC Report
# Used by PS malware
retarus.ru
calendas.ru
corolain.ru
goloser.ru
alacritas.ru
# Cluster 6 - from Microsoft MSTIC report (older)
# Word docs
acetica.online
mail-check.ru
word-expert.online
# Cluster 7
# Has links to Cluster 1 but appears to be a unique sub-cluster
libellus.ru
barbatas.online
floundera.online
plaicer.ru
barbatas.ru
ferruminatio.ru
privigna.online
mullus.online
sardanal.ru
puppis.ru
goatfish.ru
libellus.online
mulleti.ru
puppis.online
tectaconstrata.online
barbatam.online
mullus.ru
barbatus.online
ferruminatio.online
sardanal.online
privigna.ru
tectaconstrata.ru
# More cluster 7 from Pivot on WHOIS tank-bank15@yandex.ru +7.9789224690
solerat.online
plaicer.online
mulleti.online
goatfish.online
flatfisha.online
bonitol.online
# Cluster 8
# Lone domain - may find links with some more history
neslovo.ru
# Cluster 9
# Only cluster observed still using some NoIP DDNS domains
# Also not using reg.ru for hosting
coagula.online
phymateus.online
tortunas.ru
upload-dt.hopto.org
upload-lk.hopto.org
up-dot.hopto.org
up-lnk.hopto.org
# Cluster 9 WHOIS Pivot macrobit@inbox.ru +7.9789224559
abrumpere.online
acanthophis.online
acetobacter.online
achalinus.online
acrididae.online
agaricusa.online
albatrellus.online
alburnus.online
alicui.online
anisoptera.online
anolis.online
antarcticus.online
apaturinae.online
apidaet.online
apoxipodes.online
arachnidas.online
archaicus.online
archiepiscopus.online
arctiidae.online
asilidae.online
asymmetria.online
atlanticos.site
babylont.online
bacilluse.online
biblidinae.online
blaberidae.online
blattodea.online
boniton.site
botaurus.online
brachycera.online
burhinus.online
campestri.online
carinatus.online
carolinensis.online
cerambycidae.online
cereusi.online
chelicerata.online
cichlasoma.online
ciconiat.online
circulas.online
clonorchis.online
clupeonella.online
coeruleus.online
coleopteras.online
coliadinae.online
cololabis.online
conscindere.online
corvusi.online
cultiventris.online
cyrestinae.online
danainae.online
decursio.online
differre.online
difformis.online
dionysi.online
dipteran.online
discedere.online
discouti.online
discrepare.online
disjungere.online
diversiformis.online
dividere.online
email-online.site
empusidae.online
emysi.online
eryxis.online
eurypterida.online
extrado.online
exundare.online
facetum.online
fanniidae.online
fasciolas.online
felineus.online
flatfish.site
flounder.site
fnhn.online
fnrn.online
formosanus.online
fossor.online
goatfish.site
golintras.site
gonepteryx.online
gorimana.site
gov-ua.pw
graeca.online
graphiuma.online
graphosoma.online
gromphadorhina.online
gurmou.site
hakena.online
halibut.site
hamadryas.online
haplochromis.online
heliconiinae.online
hepatica.online
herpetodryas.online
herrings.site
hesperiidae.online
heteroptera.online
heterotypus.online
hierodula.online
hippoglossus.online
hkjn.online
hkol.online
hohlomida.site
holodosiz.site
homoptera.online
horivana.site
hpoi.online
hymenoptera.online
id-metrika.site
inachis.online
incursio.online
incursionibus.online
incursus.online
intumescere.online
irritabilitas.online
jaculusan.online
kallima.online
khjs.online
khpf.online
kjoi.online
labefacere.online
labefactare.online
lacerare.online
latesa.online
lepidopteras.online
libellulat.online
libellulidae.online
limenitidinae.online
limenitis.online
limosa.online
limulusa.online
lophacris.online
lovarinda.site
lusciniar.online
lycaenidae.online
mackereli.site
maniola.online
mantidae.online
mantodeas.online
meandrusas.online
megascolias.online
megatos.online
melitaeas.online
merostomata.online
mesant.online
metcalfas.online
morphinaes.online
morphon.online
mortivan.site
mugil.online
mulletin.site
natrixy.online
nematoceras.online
nilesa.site
niloticus.online
noctuidaes.online
nymphalidaes.online
office360-expert.online
orbicularis.online
ovinus.online
panchax.online
papiliot.online
perchi.site
petulans.online
pfkj.online
pilcharda.site
plaices.site
plantora.online
polyphemus.online
pomfreti.online
portunio.site
rainbowt.site
regionem.online
rufescens.online
rumpere.online
sairanat.online
salmoni.site
saltator.online
saury.site
sauryn.online
scolopaxys.online
scorpiones.online
shaperi.online
silvicol.online
sinensisa.online
soled.site
sphaerion.online
sprata.online
sprata.site
spratan.online
stealheada.site
stellarisa.online
strigigena.online
suaveolens.online
sufflari.online
suffundi.online
suffunditur.online
superfluere.online
superfundi.online
superventus.online
testudos.online
tilapian.online
tnoi.online
trouta.site
tunara.online
turgescere.online
ugorado.online
usa-national.info
variare.online
vincula.online
viraglo.site
vitrokaz.site
who-int.info
xiphosura.online
# Cluster 10
desandra.ru
votifa.ru
# Cluster 11 nsfocusglobal[.]com/russian-apt-group-gamaredon-launches-phishing-campaign-against-ukrainian-ministry-of-foreign-affairs/
# Use very different techniques:
# Changes reg[.]ru IPs frequently but all on same /24 and all massively-shared, domain is old (2019) and .fun TLD
# Traced back and confirmed it's linked to old "Cluster 1" infrastructure.
normandia.fun