# Copyright (c) 2014-2019 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: ta505, servhelper, sectorj04

# Reference: https://www.cyberswachhtakendra.gov.in/alerts/ServHelper_Malware.html

officemysuppbox.com
checksolutions.pw
rgoianrdfa.pw
arhidsfderm.pw
offficebox.com
office365onlinehome.com
afgdhjkrm.pw
dedsolutions.bit
dedoshop.pw
asgaage.pw
sghee.pw
vesecase.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

afgdhjkrm.pw
arepos.bit
checksolutions.pw
dedoshop.pw
dedsolutions.bit
pointsoft.pw

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-targets-us-retail-industry-personalized-attachments

89.144.25.32:5655

# Reference: https://twitter.com/malwrhunterteam/status/1117012829951995905

aasdkkkdsa3442.icu
joisff333.icu

# Reference: https://twitter.com/bczyz1/status/1116660163522572292

http://79.141.171.160/alg

# Reference: https://twitter.com/TweeterCyber/status/1109088973039624197

cdnavupdate.icu

# Reference: https://twitter.com/avman1995/status/1094111896473608192

rgdsghhdfa.pw

# Reference: https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently/ (Chinese)

add3565office.com
afsssdrfrm.pw
office365advance.com
office365homepod.com

# Reference: https://twitter.com/Dinosn/status/1121264330710900738
# Reference: https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware

joisf333.icu
zxskjkkjsk3232.pw

# Reference: https://twitter.com/VK_Intel/status/1124541340124053505
# Reference: https://twitter.com/anyrun_app/status/1118829445543006208

fjiisiis33.icu
houusha33.icu

# Reference: https://branbot.ninja/2019/05/ta505-using-lolb-and-free-remote-access-program-rms/

canyoning-austria.at
159.69.48.50:5655

# Reference: https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/

nettubex.top

# Reference: https://blog.yoroi.company/research/ta505-is-expanding-its-operations/

hans.me
217.12.201.159:5655

# Reference: https://twitter.com/HONKONE_K/status/1110757861779341313
# Reference: https://otx.alienvault.com/pulse/5cee5e811bfb0840b6f2c14b

http://202.168.154.158
http://27.102.106.138
http://92.38.135.204
keepneedjust.info

# Reference: https://otx.alienvault.com/pulse/5d00f923684ce2bac6dd094c

amenyan.zouri.jp
angelmariotti.xyz
billyjimmyer.top
canyoning-austria.at
citroenmehari.dk
dannysannyer.top
datdepot.net
furhatsth.net
globe-trotterltd.com
gohaiendo.com
govhotel.us
homeone.co.kr
ianhennessee.com
kabatas.ch
kerrison.com
kupitorta.net
lecmess.top
losabetos.com.sv
profan.es
slemend.com
statesdr.top
tommyhalfigero.top
topdalescotty.top
traveser.net
tunnelview.co.uk
vairina.top
waiireme.com
zonaykan.com
169.239.129.103:8080
94.156.133.183:8080
http://103.73.66.137
http://109.234.38.177
http://116.203.180.29
http://163.172.84.54
http://167.179.119.235
http://169.239.128.168
http://169.239.128.169
http://172.104.117.15
http://172.104.104.166
http://195.123.227.20
http://45.76.206.149
http://45.76.223.177
http://66.42.45.55

# Reference: https://twitter.com/VK_Intel/status/1139154944202878977

trailerbla.icu

# Reference: https://twitter.com/sS55752750/status/1143176372514381824

medastr.com

# Reference: https://securityaffairs.co/wordpress/79836/cyber-crime/ta505-group-malware.html

arepos.bit
dedsolutions.bit

# Reference: https://twitter.com/reegun21/status/1144611338536099840
# Reference: https://medium.com/@reegun/ta505-group-latest-analysis-found-unregistered-domains-4ea7dc4696c5

http://169.239.129.61
dsfk3322442fr44446g.icu
gdskjkkkss.pw

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south (#AndroMut)

kreewalk.com

# Reference: https://twitter.com/VK_Intel/status/1152669759382654976

towerprod3.com

# Reference: https://twitter.com/VK_Intel/status/1152675343389478912

lotmoji.com

# Reference: https://twitter.com/James_inthe_box/status/1158484189685010432

pinotnoir.xyz

# Reference: https://twitter.com/DynamicAnalysis/status/1159564232469417988
# Reference: https://www.virustotal.com/gui/file/b2b5c2d75bb83bb18e56a7057ae799936b7ce72a0385127eccafb252800cbbd6/detection

aidsweden.serveblog.net
37.120.159.243:21204

# Reference: https://twitter.com/ClearskySec/status/1160944105394003968

amnsns.com
dsntu.top

# Reference: https://documents.trendmicro.com/assets/pdf/APPENDIX_TA505-At-It-Again.pdf

nonestored.com
lotmoji.com
fonetorap.com
stalpina.com
stelar.icu
towerprod3.com
senddocs.icu

# Reference: https://www.cyberint.com/wp-content/uploads/2019/06/CyberInt_Legit-Remote-Access-Tools-Turn-Into-Threat-Actors-Tools_Report.pdf
# Reference: https://otx.alienvault.com/pulse/5d7112fa67119654e03cffe8

accountservice.link
alertsofamericaservice.net
alertsofamericaservice.org
alertsonlineb.info
alertsonlineb.site
amazonalertsservice.com
amazonalertsservice.net
amazonsecuve.com
amazonservericaseracalerts.ml
amazonservericaseracalerts.tk
amazonservicesaeqwec.com
apleid-store.ga
applebankoaofamelc.ga
applebankoaofamelc.ml
applecsertcas.ga
appleicloudeservice.com
appleicloudeservice.net
appleicloudeservice.org
appleidcustomersaer.com
appleidcustomersaer.net
appleidservcer.com
appleidservcer.net
appleidservcer.org
appleredierect.net
applesecurityservcer.net
applesergalertsatmcustmer.com
applesergalertsatmcustmer.net
appleseritealerts.ml
appleseritealerts.tk
appleserverisa.link
appleservicealerts.tk
appleservicesficloude.com
appleservicesficloude.org
applesforcustmer.net
applesforcustomers.com
applesicloudeser.com
applesrtskila.com
applseraiaase.com
appserrverlinkalert.com
appstoreservices.com
appstrmorestrge.com
appteammores.com
bankfoaemrica.ml
bankodamericaser.cf
bankodamericaser.ml
bankodamericaser.tk
bankofamerica-re.tk
bankofamerica-reactivte.ml
bankofamericabofa.ml
bankofamericaservicese.cf
bankooferamerico.cf
bankooferamerico.ml
banksofamericaservice.com
banofameriservice.com
boaalertsnotifationsservc.cf
boalserricersvierfay.cf
boalserricersvierfay.tk
boaofamerica-serviceas.cf
boaofamerica-serviceas.tk
boaseerviceid.com
boaserivaalertsnitoa.ml
boaserivaalertsnitoa.tk
boaservicalonotiservicesa.tk
boaserviceraletst.cf
boaservicertalak.com
bof-1apiservicesalert.ml
bof-1apiservicesalert.tk
bof-apiservicesalert.tk
bofamericaservicealertscusto.tk
bofasserserivcersa.ga
chasepnlineba.com
chaseservericaserlaertsse.ml
chaseservericaserlaertsse.tk
chasservice.com
comcasrerserc.ga
comcasrerserc.tk
comcasservicealerts.ga
comcastertiser.tk
comcastserivei.com
comcastserviceaatinfo.tk
comcstconnect.cf
comcstserricer.tk
confirmyurstclod.com
coxservicealertscoxser.tk
iclinstructstorge.com
iclostoreservsubs.com
icloudserviceate.casa
icloudserviceate.com
icloudserviceate.net
icloudserviceate.nl
icloudserviceate.org
mangersecurityheleprservice.com
microsoftoffice365box.com
mystorageappsteam.com
ofamericasertcercenterserverices.cf
ofamericasertcercenterserverices.ga
office365advance.com
officemysuppbox.com
officesupportbox.com
onlineservicebanofamericaservice.ml
onlineservicebanofamericaservice.tk
regisrtwellsfasrgoserla.tk
registriatirigonhernew.ga
registriatirigonhernew.gq
scureamazo.com
scureamazonsec.com
scureloginactiveamazo.com
secure-alert.email
secureamaz.com
secureredirectonline.com
secureredirectonline.net
secureservicesercures.cf
sercvbnofamericaalertss.ml
sercvbnofamericaalertss.tk
sercvboaof.com
sercvboaof.net
sericasboaofamericasercrboa.cf
sericasboaofamericasercrboa.tk
serveicealbanofamericase.com
serveicealbanofamericase.net
serveraserasalero.ml
serverboaservice.cf
serveriaos.com
servericaseralertsforaccou.net
serviboaalertsacess.ga
servicapplecustomers.ga
servicboas.com
servicboaservicesupoboa.ga
servicboaservicesupoboa.ml
service-alert.link
service-boaofamerica.cf
service-boaofamerica.ml
service-boaserive.cf
service-boaserive.ml
service-pp.xyz
servicealerts.club
servicealerts.net
servicealerts.online
servicealerts.site
servicealerts.website
servicealertsofservi.net
servicealertsonline.site
servicealoneapple.com
servicebankofamericas.com
servicebankofamericaseralerts.cf
servicebankofamericaseralerts.tk
serviceboa.com
serviceboa.online
serviceboaalertssofamerica.ga
serviceboaalertssofamerica.ml
serviceboaalertssofamerica.tk
serviceboaamerica.cf
serviceboaserser.com
serviceerboaofamericasercila.tk
servicefargoserc.com
serviceofamericasecousre.ml
serviceonlineidcustomer.com
serviceralertboaserv.com
serviceralertsamazonservice.com
serviceralertsamazonservice.net
serviceralertsdecuom.com
serviceralertsdecuom.net
servicerofamericaservice.ga
servicerofamericaservice.ml
servicerofamericaservice.tk
servicesellsfargoservice.com
servicesingnaletboa.com
servicesingnvboa.com
servicewallweralerts.ml
servicewallweralerts.tk
servicuiwells.com
serviscesecuusreserc.cf
servivwgofamerica.com
servviceappleaccounts.net
support-your-accounet.tk
upgradeclduodplans.com
upgradeoffice365.com
verifed-account-896628153.com
wellfaservicealerts.tk
wellserfercfgtoserivcer.cf
wellserfromgnd.ml
wellsfarfoisservice.com
wellsfinfpupadet.ga
wellsfinfpupadet.ml
wellsservicessu.com

# Reference: https://twitter.com/James_inthe_box/status/1171158166265925632
# Reference: https://otx.alienvault.com/pulse/5d78dc8a0006495d5fb9296e

update365-office-ens.com

# Reference: https://twitter.com/HONKONE_K/status/1122335861083783168

http://27.102.118.143/dom1
http://109.234.38.177/dom4

# Reference: https://twitter.com/JAMESWT_MHT/status/1174677285837971460
# Reference: https://app.any.run/tasks/9c28f56e-8265-496d-868f-bde621b3e887/

office365-update-en-gb.com

# Reference: https://twitter.com/malwrhunterteam/status/1177166794026606592
# Reference: https://twitter.com/James_inthe_box/status/1177272310652227586
# Reference: https://www.virustotal.com/gui/ip-address/23.19.64.27/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.81.211.243/relations
# Reference: https://www.virustotal.com/gui/ip-address/23.224.167.124/relations

cbnrt.com
cbnzr.com
cbtqr.com
cp253.top
cp550.top
cp57.top
cp784.top
cp885.top
fdrdj.com
ik49.com
io04.com
ir97.com
iv62.com
iw79.com
ja30.com
ji94.com
jq43.com
jv79.com
la07.com
lidatou.com
lj47.com
lo14.com
lo42.com
lo74.com
md47.com
ml49.com
mp94.com
ob07.com
od92.com
oe94.com
oh93.com
om62.com
om63.com
oq41.com
oq42.com
oq43.com
oq46.com
oq64.com
os65.com
os73.com
pk858.top
pk890.top
pk903.top
pk978.top
pwnq56.com
ql49.com
qv64.com
ue47.com
uh06.com
uh14.com
uj57.com
um64.com
uy91.com
uz03.com
uz05.com
uz06.com
vq25.com
vq39.com
vq43.com
vq47.com
vu30.com
vu34.com
vy16.com
vy40.com

# Reference: https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md

chogoon.com
office365-update-eu.com
windows-wsus-en.com

# Reference: https://twitter.com/JayTHL/status/1181283994660413446

dropbox-download.com
windows-msd-update.com

# Reference: https://twitter.com/58_158_177_102/status/1181497336800796672

onedrive-cdn.com
windows-fsd-update.com

# Reference: https://twitter.com/dark_moon2019/status/1181913446192996355

googledrive-en.com
onedrive-sdn.com
windows-sys-update.com

# Reference: https://github.com/silence-is-best/c2db#unknowns

dsfhhhhf44555.icu

# Reference: https://twitter.com/kyleehmke/status/1182392669957431296

googledrive-eu.com
windows-upgrade-en.com

# Reference: https://twitter.com/yvesago/status/1183709455395020801

onedrive-en.com

# Reference: https://twitter.com/James_inthe_box/status/1183789692694626305

office365-us-update.com

# Reference: https://twitter.com/kyleehmke/status/1184071187703435264

onedrive-download.com
onedrive-download-en.com

# Reference: https://twitter.com/kyleehmke/status/1183872877151555584

windows-en-us-update.com

# Reference: https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
# Reference: https://otx.alienvault.com/pulse/5da719a5ca8d0afb2368f4ef

37.59.52.229:53
drm-server13-login-microsoftonline.com
en-gb-facebook.com
news-server-drm-google.com
office365-eu-update.com
static-google-analtyic.com
windows-cnd-update.com
windows-me-update.com
windows-se-update.com
windows-update-sdfw.com
windows-update-02-en.com

# Reference: https://mp.weixin.qq.com/s/ujeIeb_BWoLWu420imwAOQ
# Reference: https://otx.alienvault.com/pulse/5dad976536418494e8540014

vtjxjkndo.club

# Reference: https://habr.com/ru/company/pt/blog/471960/ (Russian)

fdguyt5ggs.pw
foxlnklnk.xyz
gidjshrvz.xyz
letitbe.icu
pofasfafha.xyz

# Reference: https://twitter.com/kyleehmke/status/1187668934637568005

dropbox-download-eu.com
windows-office365.com

# Reference: https://twitter.com/James_inthe_box/status/1188869479024873479

office-en-service.com

# Generic trails

(dropbox|googledrive|onedrive)-[a-z]{2,}\.com
/aggdst/Hasrt.php
/ghuae/huadh.php
/rest/serv.php
/docs/saz.php
/docs/s.php
/jab2/s.php
/portal/s.php
/sav/s.php
/x/s.php
