#1262207: Into the Fog – The Return of ICEFOG APT - Additional IOCs

Description: Research from FireEye's Chi-en (Ashley) Shen, showing a history of multiple groups connected with the shared use of the ICEFOG malware family.

Reference:
https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt?slide=61
First Aid: IOCs: 118 in total. see full batch FileHash-MD5 in the link
hostname adove.benzerold.com 1
hostname afp1.kaboolyn.com 1
hostname afp1.knightpal.com 1
hostname appdata.appleleveno.com 1
hostname aries.epac.to 1
hostname banana.appleleveno.com 1
hostname bulgaa.sportsnewsa.net 1
hostname course.appleleveno.com 1
hostname date.dellnewsup.net 2
hostname ddns.epac.to 0
hostname dns01.comesafe.com 2
hostname dns1.kaboolyn.com 0
hostname dnservers.itemdb.com 2
hostname ds03.numnote.com 1
hostname durian.appleleveno.com 0
hostname dwm.dnsedc.com 3
hostname ipad.appleleveno.com 0
hostname is01.knightpal.com 1
hostname isafp.numnote.com 1
hostname kastygost.compress.to 2
hostname laugh.toh.info 5
hostname mailback.benzerold.com 1
hostname meal.eyellowarm.com 2
hostname mecaf.benzerold.com 1
hostname message.benzerold.com 1
hostname mn.dellnewsup.net 0
hostname news.dellnewsup.net 0
hostname news.eyellowarm.com 2
hostname news.kaboolyn.com 2
hostname news.numnote.com 1
hostname news.yahzee.eyellowarm.com 0
hostname nicodonald.accesscam.org 0
hostname node-ph-mnl2.kyssrcd.pw 0
hostname ns01.knightpal.com 1
hostname ns1.01transport.com 0
hostname ns2.01transport.com 0
hostname ph.01transport.com 0
hostname ph1.01transport.com 0
hostname ph1.numnote.com 1
hostname ph1vip.blue-vpn.net 0
hostname ph2.01transport.com 0
hostname ph4.01transport.com 0
hostname phldt.appleleveno.com 1
hostname pldt.benzerold.com 1
hostname pldt.knightpal.com 1
hostname pldtcon.knightpal.com 1
hostname pnoc1.numnote.com 1
hostname poff.wha.la 2
hostname pop3.numnote.com 2
hostname russion.dnsedc.com 3
hostname skylineqaz.crabdance.com 6
hostname support.numnote.com 1
hostname tele.zyns.com 8
hostname topic.numnote.com 1
hostname trans.numnote.com 1
hostname trendiis.sixth.biz 2
hostname usiszero.benzerold.com 1
hostname uzwatersource.dynamic-dns.net 11
hostname well.suverycool.com 1
hostname win.dellnewsup.net 0
hostname www.benzerold.com 1
hostname www.knightpal.com 1
hostname xn--uareexcellent-or3qa.kozow.com 0
hostname yahzee.eyellowarm.com 1
hostname yahzee.yahzee.eyellowarm.com 0
hostname ylineqaz-y25ja.crabdance.com 5
hostname youareexcellent.kozow.com 0
hostname zaluu.dellnewsup.net
More info: https://otx.alienvault.com/pulse/5cf67ff667d9acf61c422cd2?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

Date added June 4, 2019, 9:41 p.m.
Source AlienVault
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • Icefog / Javafog APTs