Appendix B: TG-3279 indicatorsThe threat indicators in Table 3 are associated

1. Appendix B: TG-3279 indicators
2. The threat indicators in Table 3 are associated with TG-3279 activity. The domains and IP addresses listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.
3.  
4. Indicator Type Context
5. statics.mozillor.org Domain name Known C2 domain
6. 192.69.198.6 IP address IP resolution for statics.mozillor.org, ad.7zbiz.com, and get.7zbiz.com
7. First seen September 2013
8. Last seen November 2013
9. tactics.mozillor.org Domain name Known C2 domain
10. update.mozillor.org Domain name Known C2 domain
11. 110.45.158.78 IP address IP resolution for update.mozillor.org, *.mozillor.org, news.7zbiz.com, ad.7zbiz.com, and update.7zbiz.com
12. First seen September 2013
13. Last seen November 2013
14. 108.166.215.94 IP address IP resolution for update.7zbiz.com and *.mozillor.org
15. First and last seen February 2014
16. 108.166.215.93 IP address IP resolution for news.7zbiz.com and ad.7zbiz.com
17. First and last seen February 2014
18. kr.Clientpg@yahoo.co.kr Email address Email address used to register mozillor.org and 7unzip.org
19. login.7zbiz.com Domain name Known C2 domain
20. news.7zbiz.com Domain name Related subdomain of known C2 domain
21. update.7zbiz.com Domain name Related subdomain of known C2 domain
22. get.7zbiz.com Domain name Related subdomain of known C2 domain; shares IP address with a second known C2 domain
23. First seen 2013
24. 108.166.215.89 IP address IP resolution for get.7zbiz.com
25. First and last seen February 2014
26. ad.7zbiz.com Domain name Related subdomain of known C2 domain
27. downloads.7zbiz.com Domain name Related subdomain of known C2 domain
28. 144.214.176.139 IP address Resolving IP address for downloads.7zbiz.com
29. 7zbiz.com Domain name Second level of known C2 domain
30. 184.168.221.57 IP address IP resolution for 7zbiz.com
31. e59e@qq.com Email address Email address used to register 7zbiz.com
32. First seen February 2, 2012
33. Last seen December 1, 2013
34. Wen Ben Zhou Name Presumed fake name used to register 7zbiz.com
35. First seen February 2, 2012
36. Last seen February 4, 2014
37. www3.micorsofts.com Domain name Known C2 domain
38. www6.micorsofts.com Domain name Known C2 domain
39. www7.micorsofts.com Domain name Known C2 domain
40. 82.100.37.191 IP address IP resolution for www7.micorsofts.com, used for IP calculation (IP address is not known to be malicious)
41. Last seen January 1, 2014
42. 230.165.22.199 IP address Observed IP resolution for www7.micorsofts.com and www8.micorsofts.com, used for IP calculation (IP address is not known to be malicious)
43. First seen January 4, 2014
44. 110.45.158.79 IP address Observed IP resolution for update.micorsofts.com, www.update.micorsofts.com, www3.micorsofts.com, and www2.micorsofts.com; IP address of www7.micorsofts.com and www8.micorsofts.com after IP calculation
45. www2.micorsofts.com Domain name Related subdomain of known C2 domain
46. test1.micorsofts.com Domain name Related subdomain of known C2 domain
47. support.micorsofts.com Domain name Related subdomain of known C2 domain
48. www.update.micorsofts.com Domain name CNAME for wwwN.micorsofts.com, where N is replaced with the numbers 3, 6, or 7.
49. 218.236.173.55 IP address Observed IP resolution for www.update.micorsofts.com
50. 173.193.227.143 IP address Observed IP resolution for www.update.micorsofts.com
51. Last seen November 2013
52. dyhan@outlook.com Email address Email address in registration data for micorsofts.com
53. First seen June 21, 2013
54. wvwugff@21cn.com Email address Original email address used to register micorsofts.com
55. Last seen June 21, 2013
56. 7unzip.org Domain name Domain registered with the same email address as mozillor.org
57. First seen December 3, 2011
58. login.7unzip.org Domain name Related sub domain of known C2 domain
59. 108.166.215.94 IP address IP resolution for login.7unzip.org
60. First seen January 3, 2014
61. www.sincoder.com Domain name Domain name that uses the Sincoder persona's handle and points to IP addresses used to host the C2 server
62. First seen May 27, 2011
63. 60.173.12.20 IP address IP resolution for test1.micorsofts.com, possibly not malicious
64. 60.173.12.16 IP address IP resolution for test1.micorsofts.com,possibly not malicious
65. 1.25.36.108 IP address IP resolution for test1.micorsofts.com, possibly not malicious
66. 60.5.240.93 IP address IP resolution for test1.micorsofts.com, possibly not malicious
67. 122.143.24.131 IP address IP resolution for test1.micorsofts.com, possibly not malicious
68. 125.78.248.31 IP address IP resolution for test1.micorsofts.com, possibly not malicious
69. 218.26.233.114 IP address IP resolution for test1.micorsofts.com, possibly not malicious
70. 119.97.168.173 IP address IP resolution for test1.micorsofts.com, possibly not malicious
71. 119.97.168.174 IP address IP resolution for test1.micorsofts.com, possibly not malicious
72. Table 3. Threat indicators for TG-3279.
73.  
74. Appendix C: TG-2633 indicators
75. The threat indicators in Table 4 are associated with TG-2633 activity. The domains and IP addresses listed in the indicators table may contain malicious content, so consider the risks before opening them in a browser.
76.  
77. Indicator Type Context
78. dl0.7zbiz.org Domain name TG-2633-related domain
79. update.7zbiz.org Domain name TG-2633-related domain
80. login.7zbiz.org Domain name TG-2633-related domain
81. 7zbiz.org Domain name TG-2633-related domain
82. sexndomain@gmail.com Email address Email address used to register 7zbiz.org
83. 112.175.41.73 IP address IP resolution for club.cjinternet.us, coderprojcet.com, as.cjinternet.us, ru.cjinternet.us, db.jcrsoft.com, nx.cjinternet.us, cc.nexoncorp.us, dl0.7zbiz.org, and update.7zbiz.org
84. club.cjinternet.us Domain name TG-2633-related domain
85. as.cjinternet.us Domain name TG-2633-related domain
86. ru.cjinternet.us Domain name TG-2633-related domain
87. nx.cjinternet.us Domain name TG-2633-related domain
88. evilsex@gmail.com Email address Email address used to register cjinternet.us and nexoncorp.us
89. cc.nexoncorp.us Domain name TG-2633-related domain
90. First seen April 12, 2012
91. coderprojcet.com Domain name TG-2633-related domain
92. First seen August 22, 2012
93. db.jcrsoft.com Domain name TG-2633-related domain
94. First seen July 14, 2013
95. Last seen July 24, 2013
96. www.jjjtv.com Domain name TG-2633-related domain
97. First seen June 6, 2012
98. soft.socksys.net Domain name TG-2633-related domain
99. First seen October 9, 2010
100. Last seen September 9, 2013
101. www.socksys.net Domain name TG-2633-related domain
102. www.hichf.com Domain name TG-2633-related domain
103. First seen May 6, 2008
104. Last seen May 13, 2013
105. 68.178.232.100 IP address IP resolution for www.hichf.com
106. First seen January 3, 2014
107. Donnepar-godaddy@yahoo.fr Email address Contact email address for hichf.com
108. First seen May 13, 2013
109. dcaccarpowerinverter.com Domain name TG-2633-related domain
110. pdmadden@ruggedsystems.com Email address Contact email address for dcaccarpowerinverer.com
111. www.pigszone.com Domain name TG-2633 related domain
112. 122.10.87.231 IP address IP resolution for www.pigszone.com
113. www.pigzone.info Domain name TG-2633 related domain
114. 198.74.101.239 IP address IP resolution for www.pigszone.info
115. wwww961h@qq.com Email address Email address used to register pigszone.com and pigszone.info