#1267151: Oto Gonderici Excel formula injections target Turkish victims - Additional IOCs

Description: SophosLabs has been tracking the activities of a threat actor implicated in a large number of malicious spam attacks targeting large organizations based in Turkey since last fall. The attacks and their malicious components don’t seem to be well-detected by endpoint security tools.

References:
https://github.com/sophoslabs/IoCs/blob/master/Malspam-OtoGonderici
https://news.sophos.com/en-us/2019/07/11/oto-gonderici-excel-formula-injections-target-turkish-victim
First Aid: IOCs (Total 449, selection posted here)

hostname www.aetye.ml
hostname www.aghkf.ml
hostname www.ayanw.ml
hostname www.cpaneh.tk
hostname www.ekqff.ml
hostname www.ewouif.gq
hostname www.gyqey.ml
hostname www.hcsscj.ga
hostname www.hvaycz.cf
hostname www.iquqy.ml
hostname www.jahlq.ml
hostname www.jdokdo.ml
hostname www.jjsiu.ml
hostname www.nvmdv.ml
hostname www.pqoyruw.ga
hostname www.pvrdn.ml
hostname www.qoloa.ml
hostname www.qyhhy.ml
hostname www.qzitt.ml
hostname www.rimaw.ml
hostname www.rtrzd.ml
hostname www.swtaegs.ml
hostname www.tgmml.ml
hostname www.urdnz.cf
hostname www.vgplb.ml
hostname www.vpewqz.tk
hostname www.wdplf.ml
hostname www.whyog.ml
hostname www.wqplw.ml
hostname www.yklud.ml
hostname www.ynngon.ml
hostname www.yomka.ml
hostname www.yuktu.ml

domain 2073.mobi
domain 25665.club
domain 25665.me
domain 33016.club
domain 60431.club
domain 75735.club
domain 77444.club
domain 80001.me
domain 82813.club
domain atessan.online
domain avrupagoz.online
domain banage.live
domain basaso.mobi
domain burcutekstil.online
domain cinarterlik.online
domain cnfh.mobi
domain fazilet.club
domain gelovosaja.club
domain ghtc.mobi
domain hfik.mobi
domain hocoso.mobi
domain inssanayi.mobi
domain jekarebege.online
domain jodaje.mobi
domain johaca.mobi
domain jurugq.host
domain kartalescort.mobi
domain kayaya.mobi
domain kojero.mobi
domain lca.mobi
domain localhost.com
domain mgw.mobi
domain nafaro.mobi
domain nefal.mobi
domain nehabe.mobi
domain nejoja.mobi
domain peindikescort.mobi
domain professional.mobi
domain rlg.mobi
domain selcukecza.online
domain specforce.space
domain supkh.mobi
domain tamor.mobi
domain taneketevo.online
domain turkcall.mobi
domain tzlss.mobi
domain vazawoweso.online
domain vecoha.mobi
domain walatecaqa.club
domain wpf.mobi
domain yepeyowora.online
domain yerago.mobi
domain yolecafeha.club
domain zavayo.mobi
domain zayero.mobi
domain zororo.mobi

FileHash-SHA1 0bf15a8a01af578ca01124bf6b5cda705eb3c664
FileHash-SHA1 0ca85072950474864e3ef2239c1617cd87896a30
FileHash-SHA1 0ca85b96cf04e0ba83d2f27fe7a54617e1688328
FileHash-SHA1 0d80e84e5b79af0fd7129fcfd09c057eb206dae8
FileHash-SHA1 0db2d9d7a0577ba12391c3a37550c608a51a7a8b
FileHash-SHA1 0dba0f6c52317e2bd4a1ea5f0ae80bc1c009b1d7
FileHash-SHA1 0e66f7cfa7444c71fa78951b66405982f27a3f84
FileHash-SHA1 0f04bef12abdc48682042b36623ac2e6ace23edd
FileHash-SHA1 0fa9d9f6f555d34987b197bb2c510c88a31461e4
FileHash-SHA1 0ffc9c36cfabfd61f59d53dfc2e77b19119f46d3
FileHash-SHA1 11ec8cc2d3183c5d12a5507a70722a1d9a9070ff
FileHash-SHA1 1247be65bd6cf57a10002f7672c2a669f6c43cd8
FileHash-SHA1 1251b1820878355d2dbdca08dde4b0d7f85e54cd
FileHash-SHA1 125a7b6edca2e5c78047884c9f5da7d131af3a4f
FileHash-SHA1 12f5e578c4942a66f9668e239212c939498584bd
FileHash-SHA1 13f30d067b24879ba799dfaa1f0d63cd730a2bfb
FileHash-SHA1 145373e14944109e843052b20de96acf03531914
FileHash-SHA1 1465d5dbb3b6fd60ffed89ad0cbfc8d4572630b8
FileHash-SHA1 151a37cf88cf4dfbbcb3b29ab1c0209f2601e9c1
FileHash-SHA1 1663ec54a9e113544f5c6f5708e5b1b6802602f6
FileHash-SHA1 17b37b127675328fc0e10275147e70cc3a466d4f
FileHash-SHA1 17f31d13462a6e64a0d555b66e3e27cd9f3a3c0b
FileHash-SHA1 191a10c4470e7303e11cb1034fb12b25931c080a
FileHash-SHA1 196be88c5148230d74431c46a180dbef63e515aa
FileHash-SHA1 1a095e2f88a644581d79552c2a26c48098b075bd
FileHash-SHA1 1b73bb094178c10f6d79dba51de1997354689d1d
FileHash-SHA1 1b8f41f9d30d78f75b8b45cd72117cc99e21d96d
FileHash-SHA1 1da4341dfc5ac692a922dedb9dea1e6d5bfa5928
More info: https://otx.alienvault.com/pulse/5d276b688642da33ba698260?utm_medium=InProduct&utm_source=OTX&utm_content=Email&utm_campaign=new_pulse_from_subscribed

Date added July 11, 2019, 9:14 p.m.
Source AlienVault
Subjects
  • All New Malware or Attack Alerts - New Reports / IOCs in
  • . APTs - Advanced Persistent Threats - New Reports in
  • Microsoft Excel
  • News Turkey