# Copyright (c) 2014-2021 Maltrail developers (https://github.com/stamparm/maltrail/)
# See the file 'LICENSE' for copying permission

# Aliases: raindrop, solorigate, sunburst, supernova, teardrop, stellarparticle, dark halo

# Reference: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
# Reference: https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html
# Reference: https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
# Reference: https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds
# Reference: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
# Reference: https://twitter.com/_CPResearch_/status/1339952318717063168
# Reference: https://otx.alienvault.com/pulse/5fd6df943558e0b56eaf3da8
# Reference: https://otx.alienvault.com/pulse/5fdce61ef056eff2ce0a90de
# Reference: https://otx.alienvault.com/pulse/6007149a5ff246c7c18229c1

avsvmcloud.com
bigtopweb.com
databasegalore.com
deftsecurity.com
digitalcollege.org
ervsystem.com
freescanonline.com
globalnetworkissues.com
highdatabase.com
incomeupdate.com
infinitysoftwares.com
kubecloud.com
lcomputers.com
panhardware.com
seobundlekit.com
solartrackingsystem.net
thedoccloud.com
virtualdataserver.com
virtualwebdata.com
webcodez.com
websitetheme.com
zupertech.com
appsync-api.eu-west-1.avsvmcloud.com
appsync-api.us-east-1.avsvmcloud.com
appsync-api.us-east-2.avsvmcloud.com
appsync-api.us-west-2.avsvmcloud.com
6a57jk2ba1d9keg15cbg.appsync-api.eu-west-1.avsvmcloud.com
7sbvaemscs0mc925tb99.appsync-api.us-west-2.avsvmcloud.com
gq1h856599gqh538acqn.appsync-api.us-west-2.avsvmcloud.com
ihvpgv9psvq02ffo77et.appsync-api.us-east-2.avsvmcloud.com
k5kcubuassl3alrf7gm3.appsync-api.eu-west-1.avsvmcloud.com
mhdosoksaccf9sni9icp.appsync-api.eu-west-1.avsvmcloud.com

# Reference: https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
# Reference: https://otx.alienvault.com/pulse/60088b53da5e673bc2825ce8

aimsecurity.net
datazr.com
financialmarket.org
gallerycenter.org
mobilnweb.com
olapdatabase.com
swipeservice.com
techiefly.com

# Reference: https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/
# Reference: https://otx.alienvault.com/pulse/601da173ed7d3e7e31c67c3d/
# Reference: https://www.virustotal.com/gui/file/a25fc5af86296dcd5bb41668443a36947bccd17a1687f9b118675f1503b3e376/detection
# Reference: https://www.virustotal.com/gui/file/f39dc0dfd43477d65c1380a7cff89296ad72bfa7fc3afcfd8e294f195632030e/detection

216.243.39.167:8090
98.225.248.37:8090
