Jigsaw John
@malpilediver
Threat Hunter / Wannabe APT Researcher / Passionate Pile of Malware Diver
ID: 1628887045752950785
23-02-2023 22:38:40
66 Tweet
213 Followers
128 Following
#Gamaredon #APT shows tremendous spike in new domains and IPs today, using new naming ruizchris[.]ru dussaut[.]ru vilaverde[.]ru boraito[.]ru valasati[.]ru kaigitang[.]ru nutriag[.]ru enokida[.]ru samiseto[.]ru ayarimar[.]ru fortunyzo[.]ru Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
#Gamaredon #APT active infrastructure to detect and track. As usual Vultr and DigitalOcean 167.99.90[.]48 146.190.124[.]209 68.183.139[.]186 209.38.245[.]183 139.59.62[.]248 139.180.133[.]22 206.189.99[.]60 5.199.168[.]238 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
#Gamaredon #APT still very active today, rolling back to the "eng-adjective" naming style. Curious if their naming scheme identifies some specific campaign 🤔 maniacal[.]ru unequaled[.]ru adjoining[.]ru unwieldy[.]ru lokalut[.]ru suizibel[.]ru Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
Active #Gamaredon #APT infra to track + few new domains nahalx[.]ru baraslx[.]ru 170.64.132[.]183 137.184.9[.]252 146.190.104[.]237 68.183.122[.]121 195.133.88[.]63 178.128.53[.]132 143.244.184[.]231 164.92.96[.]103 195.133.88[.]49 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
Daily #Gamaredon new domains + active infrastructure succinct[.]ru <- campaign ongoing now at position71[.]succinct[.]ru decorous[.]ru judicious[.]ru 146.190.48[.]240 199.247.10[.]72 128.199.199[.]39 212.18.104[.]28 78.141.202[.]70 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
Daily #Gamaredon with novice BLNWX as an infra choice. (Btw, is this bitlauch related? 🤔) squeamish[.]ru stupendous[.]ru scattered[.]ru 168.100.10[.180 143.110.150[.224 165.232.165[.42 165.22.6[.62 5.44.42[.116 170.64.176[.71 162.33.178[.242 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
#Gamaredon seems to be on weekeend, so no new domains for today, but here is some active infra 46.101.160[.244 159.89.205[.135 143.244.152[.233 170.64.174[.17 5.44.42[.119 5.44.42[.120 84.32.131[.60 81.19.140[.131 168.100.10[.239 164.92.174[.73 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
Despite the public holiday in Russia, FSB guys from #Gamaredon 🤡 are getting hands dirty today with a few new domains absorbeni[.]ru boskatrem[.]ru lopraner[.]ru malived[.]ru taramis[.]ru Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
Active #Gamaredon infra to track (Apr 30 - May 1) 170.64.160.67 84.32.131.66 64.52.80.126 134.122.77.158 68.183.131.231 45.61.138.92 67.205.178.50 64.226.96.179 134.209.115.37 128.199.8.231 170.64.128.193 139.59.116.50 142.93.232.180 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
Daily #Gamaredon with the few new domains zeraon[.ru farukend[.ru Active infrastructure 143.244.168.12 165.232.148.157 165.227.81.59 167.99.9.163 162.33.177.147 204.48.16.4 134.209.218.236 194.87.45.49 164.90.148.202 167.172.34.185 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
After a short break, #Gamaredon slightly increased their activity, creating a bunch of new malicious domains haramad[.ru lotgunok[.ru saturnec[.ru brudimar[.ru vloperang[.ru weratas[.ru banrasac[.ru norasold[.ru amoresa[.ru Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
And some #Gamaredon #APT active infrastructure. DigitalOcean (at most) business as usual🙃 193.149.180.132 164.90.233.13 170.64.134.168 147.182.160.122 104.248.148.95 192.241.136.125 165.232.82.235 170.64.180.56 162.33.178.82 162.33.178.23 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
Active #Gamaredon #APT infrastructure 185.247.184.103 185.247.184.101 167.172.154.5 206.189.12.131 185.247.184.102 193.149.176.118 162.33.178.52 <- already39[.brudimar.ru ongoing campaign on the fresh domain from one of my prev tweets 🙂 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
#Gamaredon #APT fresh domains (created May 2023). Good old pseudo-DGA style dzhabaripa[.ru goruspa[.ru dzhahipa[.ru iknatonpa[.ru zuberipa[.ru kaziyapa[.ru zaherpa[.ru kahotepa[.ru #PrimitiveBear #TridentUrsa 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ Mikhail Kasimov ET Labs
Daily #Gamaredon #APT domains karoanpa[.ru ishakpa[.ru dakareypa[.ru Interesting to see some persistent turkic-fashion in 2022-2023 domains such as turkic and muslim-related names and words like ishak, kafir, Rustam, etc Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
Daily #Gamaredon #APT domains. Generous amount of 🤡 activity today. Nice! kemnebipa[.ru idogbpa[.ru imenandpa[.ru porotad[.ru galofad[.ru dzhibeydpa[.ru mensaso[.ru dzhumoukpa[.ru knemuso[.ru Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
#Gamaredon #APT domains, common naming style menesso[.ru kuaashiso[.ru lizimbaso[.ru koseyso[.ru mbiziso[.ru kontarso[.ru maatso[.ru And some active IPs 78.153.139.42 146.190.128.157 146.190.44.22 159.223.75.181 64.227.102.216 147.182.241.170 Mikhail Kasimov 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ ET Labs
#Gamaredon #APT domains mudadazi[.ru luzidzhso[.ru muhvanazi[.ru neythzi[.ru And some active IPs 185.39.207.11 178.128.80.120 193.228.128.6 139.59.228.153 77.105.136.204 <- unsual provider AS207651 aka VDSina.ru - хостинг серверов в России и в Европе 77.246.98.78 62.84.96.161 匚ㄚ乃乇尺ㄖᐯ乇尺ㄥㄖ卂ᗪ Mikhail Kasimov ET Labs