qbourgue/malvertising_infra_distributing_netsupport_rat.md

## malvertising_infra_distributing_netsupport_rat.md

      
    Raw
  

              malvertising_infra_distributing_netsupport_rat.md
            
          
    Malicious websites impersonating legitimate software

Domain names:
138.124.183.79.sslip.io
7-zip.cfd
7-zip.day
advanced-ip-scanner.cfd
advanced-ip-scanner.link
advancedipscannerapp.com
aimp.day
aimp.pm
asana.tel
asana.wf
autodesk.pm
blackrock.re
blackrock.wf
concur.cfd
concur.pm
concur.re
concur.skin
hidifypro.turkalphapro.ir
hubspot.pm
hubspot.wf
lexisnexis.day
meet-go.click
meet-go.day
meet-go.link
meet-go.org
pdfreader.link
quicken-install.com
vkontakte.in
wall-street-journal.link
workable.uk.com
wsj.pm
wsj.re
wsj.wales
wsj.wf
www.blackrock.wf
www.concur.pm
www.concur.re
www.wsj.re
www.wsj.wf
wwwlegals.com

IP addresses:
5.180.24.160
45.89.53.223
45.152.113.251
45.159.211.211
86.104.72.154
94.131.101.65
103.35.191.28
103.35.191.53
103.35.191.56
103.35.191.76
103.113.70.68
103.113.70.134
103.113.70.142
138.124.180.85
138.124.183.79
138.124.183.95
138.124.183.175
138.124.183.176
138.124.184.64
141.98.168.16
141.98.168.106
176.120.75.247

"cdn" payload hosting domains

Domain names:
cdn1102.com
cdn1124.net
cdn1168.net
cdn1701.com
cdn1702.click
cdn1704.com
cdn25.space
cdn2525.com
cdn27.space
cdn30.space
cdn31.space
cdn32.space
cdn33.space
cdn34.space
cdn35.space
cdn36.space
cdn37.space
cdn38.space
cdn40.click
cdn41.space
cdn42.space
cdn43.space
cdn44.space
cdn45.space
cdn46.space
cdn47.space
cdn48f.space
eprst251.boo
eprst281.boo
eprst431.boo
msq2323232300000.online
static.cdn40.click
statistic.cdn47.space
storage.cdn48f.space

IP addresses:
23.133.88.190
23.170.40.136
45.67.229.73
45.89.53.244
45.142.212.150
77.105.162.54
86.104.72.155
86.104.72.157
86.104.72.158
91.149.239.120
103.35.188.98
109.107.170.81
138.124.180.84
138.124.183.91
138.124.184.247
138.124.184.249
138.124.184.250
193.233.205.45

MSIX download URLs

https://138.124.180.84/files/advancedipscanner.msix
https://138.124.184.247/files/blackrock.msix
https://138.124.184.250/files/asana.msix
https://cdn1124.net/files/asana.msix
https://cdn1124.net/files/googlemeet.msix
https://cdn1124.net/files/sapconcur.msix
https://cdn1124.net/files/wsj.msix
https://cdn25.space/files/airtable-x64.msix
https://cdn25.space/files/anyconnect-win.msix
https://cdn25.space/files/bloombergterminal-x64.msix
https://cdn25.space/files/npp.installer.x64.msix
https://cdn30.space/files/quicken.msix
https://cdn32.space/files/aimp.msix
https://cdn33.space/files/adobe_protected_pdf.msix
https://cdn34.space/files/workday.msix
https://cdn37.space/files/webex.msix
https://cdn37.space/files/winscp-6.3.2-setup.msix
https://cdn40.click/files/asana.msix
https://cdn40.click/files/googlemeet.msix
https://cdn40.click/files/sapconcur.msix
https://cdn40.click/files/wsj.msix
https://cdn41.space/files/asana.msix
https://cdn41.space/files/autodeskfusion.msix
https://cdn41.space/files/blackrock.msix
https://cdn41.space/files/cnn.msix
https://cdn41.space/files/googlemeet.msix
https://cdn41.space/files/hubspot.msix
https://cdn41.space/files/sapconcur.msix
https://cdn41.space/files/wsj.msix
https://cdn42.space/files/vkontakte.msix
https://cdn43.space/files/advancedipscanner.msix
https://cdn45.space/files/document.msix
https://cdn46.space/files/asana.msix
https://cdn47.space/files/7z.msix
https://cdn47.space/files/aimp.msix
https://eprst251.boo/files/asana.msix
https://eprst251.boo/files/googlemeet.msix
https://eprst251.boo/files/sapconcur.msix
https://eprst251.boo/files/wsj.msix
https://eprst281.boo/files/blackrock.msix
https://eprst281.boo/files/lexisnexis.msix
https://eprst431.boo/files/advancedipscanner.msix
https://msq2323232300000.online/files/anydesk.msix
https://msq2323232300000.online/files/ciscosmartsoftware.msix
https://msq2323232300000.online/files/goto_4.6.5.0_x64.msix
https://msq2323232300000.online/files/npp.installer.x64.msix
https://msq2323232300000.online/files/pgadmin4.msix
https://msq2323232300000.online/files/steepwriter_4.0.4.0_x64.msix