#1254592: Possible FIN7 Domains - Additional IOCs

Description: Reference:
https://twitter.com/kyleehmke/status/1117729975484993536



Some possible #FIN7 domains from late 2018 to accompany the mse-cdn[.]com find from @VK_Intel:
booking-cdn[.]com
jquery-ca-cdn[.]com
jquery-us-cdn[.]com
norton-cdn[.]com
hpservice-cdn[.]com

More info in @ThreatConnect: https://app.threatconnect.com/auth/incident/incident.xhtml?incident=2250486244

Kyle Ehmke heeft toegevoegd,
Vitali Kremez
@VK_Intel
2019-04-14: #FIN7 Maldoc ".xlsb"🤔 -> JS Loader
#DocuSign Ruse | JS Loader: {group: "zsoc", url: "mse-cdn. com"}🛡️
h/t @HONKONE_K

03:02 - 15 apr. 2019
1 antwoord 0 retweets 5 vind-ik-leuks
JD Artie Tweettekst




Kyle Ehmke
‏ @kyleehmke
2 uur2 uur geleden

Like mse-cdn[.]com (46.21.253[.]39), those domains were registered through NameCheap, spoof a CDN, and are all currently hosted on dedicated servers at these corresponding IPs:
192.232.198[.]187
194.165.17[.]157
192.64.119[.]24
192.64.119[.]145
93.189.149[.]153
0 antwoorden 0 retweets 5 vind-ik-leuks
First Aid: IOCs:

domain booking-cdn.com 1
domain hpservice-cdn.com 4
domain jquery-ca-cdn.com 1
domain jquery-us-cdn.com 0
domain mse-cdn.com 3
domain norton-cdn.com

192.232.198[.]187
194.165.17[.]157
192.64.119[.]24
192.64.119[.]145
93.189.149[.]153
More info: https://otx.alienvault.com/pulse/5cb46aba498cfc2a71bb2936?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

Date added April 15, 2019, 1:41 p.m.
Source AlienVault
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • . APTs - Russia - New Reports in
  • Russia - FIN7 Group/ Anunak / Carbanak Cyber Gang (Same as Cobalt Hacking Group?)