parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs

Dedicated to the men and women fighting the coronavirus pandemic.

coronavirus-covid-19-SARS-CoV-2

All the IoC's I have gathered which are used directly in coronavirus / covid-19 / SARS-CoV-2 cyber attack campaigns. All IOC's are provided "as-is", please use your own verification methodology before deploying them in production network.

Remember, architecture is the base and everything else is an additional layer. Stronger your systems security architecture, lesser the possiblity of undesired incidents.

APT36 has been known to use this pandemic to target. These have been include in the list.

DO NOT CLICK ON ANY URLs or VISIT IP Addresses, their current state is unknown and I have NOT masked (defaneg) all the URLs.

WHO has a WhatApp group for up-to-date information: http://bit.ly/who-covid19-whatsapp. Send a "hi" message to get started.

Wishing everyone good health and safety.

If any of the IoC listed in the repository is a false-positive:

1. You can contact me via Twitter at @parthmaniar

2. Open an issue on GitHub.

3. Email me on parth ?? maniar @ kellogg ?? ox ?? ac ?? uk (replace ?? with .)

Last updated: 22:58 hrs IST on 11-04-2020

Deprecation notice.

I will be deprecating IoC's part of this project. I want to thank everyone who helped me - Sanket Yeram, Jayendra Kadam, Krutika Potdar & Rohit Chaurasia.

I will remove the IoCs on 30th April 2021.

Version 14.5

Total IoCs: 661,567 (IPs: 1335; Hashes: 9,114; URLs/domains/hostname: ~6,51,112; CVEs: 6)

Version 14.4

Total IoCs: 661,567 (IPs: 1335; Hashes: 9,114; URLs/domains/hostname: ~6,51,112; CVEs: 6)

Version 14.3

Total IoCs: 644,869 (IPs: 1336; Hashes: 9,114; URLs/domains/hostname: ~6,34,413; CVEs: 6) Removed hash: 9b1fbf0c11c520ae714af8aa9af12cfd48503eedecd7398d8992ee94d1b4dc37 as per request from twiiter. Source of the hash was IBM X-Force.

Version 14.2

Total IoCs: 644,870 (IPs: 1336; Hashes: 9,115; URLs/domains/hostname: ~6,34,413; CVEs: 6)

Version 14

Total IoCs: 623,560 (IPs: 1322; Hashes: 9,110; URLs/domains/hostname: ~6,13,122; CVEs: 6)

Version 13.6

Total IoCs: 612,024 (IPs: 582; Hashes: 9,110; URLs/domains/hostname: ~6,02,326; CVEs: 6)

Version 13.1

Total IoCs: 557,272 (IPs: 582; Hashes: 9,110; URLs/domains/hostname: ~5,47,628; CVEs: 6)

Version 12.8

Total IoCs: 553,592 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,44,916; CVEs: 6)

Version 12.7

Total IoCs: 538,906 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,30,230; CVEs: 6)

Version 12.6

Total IoCs: 522,336 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,13,660; CVEs: 6)

Version 12.5

Total IoCs: 510,775 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,02,099; CVEs: 6)

Version 12.4

Total IoCs: 510,281 (IPs: 582; Hashes: 8,088; URLs/domains/hostname: ~5,016,05; CVEs: 6)

Version 12.3

Total IoCs: 509,704 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~5,016,05; CVEs: 6)

Version 12.2

Total IoCs: 497,139 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~4,89,040; CVEs: 6)

Version 12.1

Total IoCs: 471,462 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~4,53,363; CVEs: 6)

Version 12

Total IoCs: 422,744 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~4,14,645; CVEs: 6)

Version 11.9

Total IoCs: 422,693 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~4,14,594; CVEs: 6)

Version 11.8

Total IoCs: 396,412 (IPs: 582; Hashes: 7,511; URLs/domains/hostname: ~3,88,313; CVEs: 6)

Version 11.7

Total IoCs: 396,538 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,88,515; CVEs: 6)

Version 11.6

Total IoCs: 390,522 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,82,499; CVEs: 6)

Version 11.6

Total IoCs: 390,402 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,82,379; CVEs: 6)

Version 11.5

Total IoCs: 389,902 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,81,879; CVEs: 6)

Version 11.4

Total IoCs: 385,524 (IPs: 582; Hashes: 7,435; URLs/domains/hostname: ~3,77,501; CVEs: 6)

Version 11.3

Total IoCs: 376,586 (IPs: 581; Hashes: 7,387; URLs/domains/hostname: ~3,68,612; CVEs: 6)

Version 11.2

Total IoCs: 376,070 (IPs: 581; Hashes: 7,387; URLs/domains/hostname: ~3,68,096; CVEs: 6)

Version 11.1

Total IoCs: 369,517 (IPs: 581; Hashes: 7,387; URLs/domains/hostname: ~3,61,543; CVEs: 6)

Version 11

Total IoCs: 366,939 (IPs: 581; Hashes: 7,387; URLs/domains/hostname: ~3,58,965; CVEs: 6)

Added SSDEP hashing. Added MD5 or SHA1 in case only SHA256 was available.

Version 10.9

Total IoCs: 362,336 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,57,388; CVEs: 6)

Version 10.8

Total IoCs: 360,992 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,56,044; CVEs: 6)

Version 10.7

Total IoCs: 359,810 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,54,862; CVEs: 6)

Version 10.6

Total IoCs: 359,410 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,54,468; CVEs: 6)

Version 10.5

Total IoCs: 357,298 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,52,350; CVEs: 6)

Version 10.4

Total IoCs: 356,398 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,51,450; CVEs: 6)

Version 10.3

Total IoCs: 354,695 (IPs: 577; Hashes: 4,365; URLs/domains/hostname: ~3,49,747; CVEs: 6)

Version 10.2

Total IoCs: 353,755 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,48,831; CVEs: 6)

Version 10.1

Total IoCs: 353,409 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,48,485; CVEs: 6)

In this update I have checked top 1 million websites as per Alexa to remove any false positives which were introduced in 9.9 (removed in 10.) Interesting statistics to follow.

Version 10

Total IoCs: 352,243 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,47,316; CVEs: 6)

Emergency update to remove www.google.com and www.twitter.com

Version 9.9

Total IoCs: 352,243 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,47,319; CVEs: 6)

Please apply this update to remove parsing issue introduced in version 9.8 All IOCs file.

A vulnerability has been identified in the implementation of the Android version of Australia's COVIDSafe contact tracing app that may affect several other contact tracing apps that share a similar architecture, such as Singapore's TraceTogether and Alberta's ABTraceTogether. This issue is being tracked using the CVE ID CVE-2020-12856. The vulnerability allows for long term tracking of users of the affected apps, and possibly enables other bluetooth-based attack vectors.

Version 9.8

Total IoCs: 351,940 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,47,017; CVEs: 5)

Version 9.7

Total IoCs: 350,495 (IPs: 577; Hashes: 4,341; URLs/domains/hostname: ~3,45,572; CVEs: 5)

Version 9.6

Total IoCs: 350,627 (IPs: 575; Hashes: 4,147; URLs/domains/hostname: ~3,45,900; CVEs: 5)

Version 9.5

Total IoCs: 348,845 (IPs: 575, Hashes: 4,147 URLs/domains/hostname: ~3,44,118 CVEs: 5)

Version 9.3

Total IoCs: 347,445 (IPs: 575, Hashes: 3,853 URLs/domains/hostname: ~3,43,012 CVEs: 5)

Version 9.2

Total IoCs: 342,210 (IPs: 573, Hashes: 3,853 URLs/domains/hostname: ~3,37,779 CVEs: 5)

Version 9.1

Total IoCs: 342,250 (IPs: 573, Hashes: 3,583 URLs/domains/hostname: ~3,38,089 CVEs: 5)

Version 9

Total IoCs: 3,41,343 (IPs: 573, Hashes: 3,583, URLs/domains/hostname: ~3,36,910 CVEs: 5)

Bumping to version 9.0 as new domains/hostnames/URLs now stand at 3,36,910.

Version 8.2

Total IoCs: 44,055 (IPs: 573, Hashes: 3,581, URLs/domains/hostname: ~39,890 CVEs: 5)

Emergency update to remove invalid domain names. Total of 6 domains removed.

Version 8.1

Total IoCs: 44,055 (IPs: 573, Hashes: 3,581, URLs/domains/hostname: ~39,896 CVEs: 5)

Version 7.9

Total IoCs: 43,292 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~39,135 CVEs: 5)

Version 7.8

Total IoCs: 42,400 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~38,243 CVEs: 5)

Version 7.7

Total IoCs: 42,043 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~37,887 CVEs: 5)

Version 7.6

Total IoCs: 41,270 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~37,113 CVEs: 5)

Version 7.5

Total IoCs: 40,804 (IPs: 568, Hashes: 3,584, URLs/domains/hostname: ~36,647 CVEs: 5)

Version 7.4

Total IoCs: 40,098 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~35,968 CVEs: 5)

Version 7.3

Total IoCs: 39,811 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~35,681 CVEs: 5)

Version 7.2

Total IoCs: 38,908 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~34,778 CVEs: 5)

Version 7.1

Total IoCs: 38,075 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~33,945 CVEs: 5)

Version 7.0

Total IoCs: 35,243 (IPs: 564, Hashes: 3561, URLs/domains/hostname: ~31,113 CVEs: 5)

Bumping this to 7.0 as total of ~11,000 new IoC's added.

Version 6.8

Total IoCs: 24,302 (IPs: 564, Hashes: 3560, URLs/domains/hostname: ~20,173 CVEs: 5)

There is a request to evaluate 23.227.38.65 and 23.227.38.32 and finetune them to URLs. I will be working on this. This request came via email. I will open an issue today for tracking.

Version 6.7

Total IoCs: 24,262 (IPs: 561, Hashes: 3530, URLs/domains/hostname: ~20,166 CVEs: 5)

Version 6.6

Total IoCs: 24,258 (IPs: 561, Hashes: 3530, URLs/domains/hostname: ~20,162 CVEs: 5)

Version 6.5

Total IoCs: 23,567 (IPs: 561, Hashes: 3530, URLs/domains/hostname: ~19,471 CVEs: 5) Bumping to 6.5 due to large addition of URLs.

Version 6.1

Emergency update to remove covid-19-sounds.org

Version 6.0

Total IoCs: 20,763 (IPs: 550, Hashes: 3452, URLs/domains/hostname: ~16,756, CVEs: 5) Bumping to 6.0 due to large addition of URLs.

Version 5.8

Total IoCs: 14,730 (IPs: 550, Hashes: 3433, URLs/domains/hostname: ~10742, CVEs: 5)

Version 5.7

Total IoCs: 14,587 (IPs: 517, Hashes: 3337, URLs/domains/hostname: ~10728, CVEs: 5)

Version 5.6

Total IoCs: 14,305 (IPs: 517, Hashes: 3215, URLs/domains/hostname: ~10568, CVEs: 5)

Version 5.5

Total IoCs: 13,787 (IPs: 514, Hashes: 3124, URLs/domains/hostname: ~10144, CVEs: 5)

Version 5.4

Total IoCs: 13,567 (IPs: 514, Hashes: 3124, URLs/domains/hostname: ~9924, CVEs: 5)

Version 5.3

Total IoCs: 12,966 (IPs: 513, Hashes: 3191, URLs/domains/hostname: ~9257, CVEs: 5)

Version 5.2.1

Emergency update to remove domain: coronavirus3d.org which was ingested from CERT-US notficaion. Now removed from all IoC files.

Confidence script is still ongoing.

Total IoCs: 12,594 (IPs: 513, Hashes: 3191, URLs/domains/hostname: ~8885, CVEs: 5)

Version 5.2

Confidence script is still ongoing.

Total IoCs: 12,595 (IPs: 513, Hashes: 3191, URLs/domains/hostname: ~8886, CVEs: 5)

Version 5.1

Important cleanup for hashes. New Confidence script is initiated. ETA for completion 1700 IST on 14-04-2020.

Total IoCs: 12,375 (IPs: 510, Hashes: 3187, URLs/domains/hostname: ~8673, CVEs: 5)

Version 5

Bumping to version 5 as we have massive ingestion from blocklist.cyberthreatcoalition.org/vetted/ && kind assistance of GitHub user - @ideaengine007 with twitter handle Nitesh (@ideaengine007 && https://twitter.com/ideaengine007).

hashes as part of this update are still being vetted at VirusTotal. A random audit has confirmed 100% (available) hashesh related to Covid-19 scams. Thank you.

Total IoCs: 12,419 (IPs: 510, Hashes: 3231, URLs/domains/hostname: ~8673, CVEs: 5)

Version 4.5.1

Emergency update to remove domain: covid19map.us which was ingested from CERT-US notficaion. Now removed from all IoC files.

Total IoCs: 7382 (IPs: 512, Hashes: 1950, URLs/domains/hostname: ~4915, CVEs: 5)

Version 4.5

Total IoCs: 7383 (IPs: 512, Hashes: 1950, URLs/domains/hostname: ~4916, CVEs: 5)

Version 4.3

Total IoCs: 7199 (IPs: 511, Hashes: 1778, URLs/domains/hostname: ~4906, CVEs: 4) Refer https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs/tree/master/Printscreens for photos(printscreens) of the scam.

Version 4.2

Total IoCs: 7073 (IPs: 472, Hashes: 1722, URLs/domains/hostname: ~4875, CVEs: 4) Refer https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs/tree/master/Printscreens for photos(printscreens) of the scam.

Version 4.1

bumping directly from 3.5 to 4.1 due to additional inclusions and coverage.

This update includes lists from US-CERT TLP:White shared here: https://www.us-cert.gov/ncas/alerts/aa20-099a && https://github.com/sophoslabs/covid-iocs

Total IoCs: 6586 (IPs: 454, Hashes: 1807, URLs/domains/hostname: ~4321, CVEs: 4) Refer https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs/tree/master/Printscreens for photos(printscreens) of the scam.

Version 3.5

Closed issue wherein legitimate websites (coronavirusdatamap.com and californiacoronavirus.org) were included in domaintools_malicious_domain_list.

Please be advised that curated lists are : IP, Hashes, URLs and ALL IOCs. These are personally verified by me. All other lists should be tested before production use.

Total IoCs: 3762 (IPs: 454, Hashes: 1675, URLs/domains/hostname: ~1629, CVEs: 4)

Version 3.4

Total IoCs: 3757 (IPs: 452, Hashes: 1673, URLs/domains/hostname: ~1628, CVEs: 4)

Version 3.3

Total IoCs: 3738 (IPs: 450, Hashes: 1660, URLs/domains/hostname: ~1624, CVEs: 4)

In this udpdate newly registered domains have been updated until 03-05-2020. Newly registered domains have been pushed to VirusTotal.

Version 3.2

Merge and duplicate removal Total IoCs: 3731 (IPs: 449, Hashes: 1660, URLs/domains/hostname: ~1618, CVEs: 4)

Version 3.1

Merge and duplicate removal Total IoCs: 3592 (IPs: 439, Hashes: 1553, URLs/domains/hostname: ~1596, CVEs: 4)

Version 3.0

A major update as I have now incorporated list by Anomali --> https://www.anomali.com/learn/covid19. Thank you very much to Anomali.

Total IoCs: 4073 (IPs:961, Hashes:1594, URLs/domains/hostname: ~1514, CVEs: 4)

Version 2.8

Total IoCs: 949 (IPs:26, Hashes:514, URLs/domains/hostname: ~2530, CVEs: 4).

Version 2.7

Total IoCs: 856 (IPs:26, Hashes:437, URLs/domains/hostname: ~390, CVEs: 3).

As of this update all URLs as aprt of "newly_registered_domains" have been submitted for VirusTotal. I want to thank Krutika Potdar (who provded 3 keys of VT & othre logistical support keeping the team in sync), Ankit Bose (who submitted 10,000 domains), Arun Kumar, & members of the greatest team ever: Jayendra Kadam, Sanket Yeram, Rohit Chaurasia.

Version 2.6

Total IoCs: 781 (IPs:20, Hashes:378, URLs/domains/hostname: ~380, CVEs: 3).

As of this update all URLs listed are being validated for authenticity.

Removed domaintools URLs from official IoC list.

List by Domaintools seems to have legitimate websites too. PLEASE USE IT WITH ADDITIONAL CAUTION. URLs listed under "URL" are validated as part of being used in malicious covid-19 / coronavirus campaign.

New: Domain tools list is incorporated: https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats#download

Version 2.4

Total IoCs: 81,766 (IPs:20, Hashes:378, URLs/domains/hostname: ~380, CVEs: 3).

List by Domaintools seems to have legitimate websites too. PLEASE USE IT WITH ADDITIONAL CAUTION. URLs listed under "URL" are validated as part of being used in malicious covid-19 / coronavirus campaign.

New: Domain tools list is incorporated: https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats#download

hmrc-cov19.payment.estrodev.com -- Found to be actively used as part of text message (SMS) based phishing.

Total newly registered domains now stands at 36,994 having keyword - covid / corona. Date of registration is post 1st February 2020.

Version 2.3

Total IoCs: 81,766 (IPs:20, Hashes:378, URLs/domains/hostname: ~380, CVEs: 3). New: Domain tools list is incorporated: https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats#download hmrc-cov19.payment.estrodev.com -- Found to be actively used as part of text message (SMS) based phishing. Total newly registered domains now stands at 36,994 having keyword - covid / corona. Date of registration is post 1st February 2020.

Version 2.2

Total IoCs: 712 (IPs:19, Hashes:354, URLs/domains/hostname: ~356, CVEs: 3). hmrc-cov19.payment.estrodev.com -- Found to be actively used as part of text message (SMS) based phishing. Total newly registered domains now stands at 34,891 having keyword - covid / corona. Date of registration is post 20th March 2020.

Version 2.2

Total IoCs: 711 (IPs:19, Hashes:354, URLs/domains/hostname: ~355, CVEs: 3). Total newly registered domains now stands at 34,891 having keyword - covid / corona. Date of registration is post 20th March 2020.

Version 2.1

THERE ARE SOME CORRECTIONS IN THE URL FILE. PLEASE UPDATE. Total IoCs: 711 (IPs:19, Hashes:354, URLs/domains/hostname: ~355, CVEs: 3). Total newly registered domains now stands at 13,752 having keyword - covid / corona. Date of registration is post 20th March 2020.

Newly registered domains names supplied at discounted cost by

Name: Janmajaya Panigrahy

Company Name: Genesics Enterprises LL

Version 2.0

Total IoCs: 711 (IPs:19, Hashes:334, URLs/domains/hostname: ~355, CVEs: 3). Total newly registered domains now stands at 11,660 having keyword - covid / corona. Date of registration is post 20th March 2020.

Version 1.9

Total IoCs: 599 (IPs:18, Hashes:333, URLs/domains/hostname:245, CVEs: 3). Total newly registered domains now stands at 11,660 having keyword - covid / corona. Date of registration is post 20th March 2020.

Version: 1.8

Total IoCs: 557 (IPs:18, Hashes:304, URLs/domains/hostname:234, CVEs: 3). This update has a new list - newly registered domanins.There are total of 9595 newly registered domains between 20th March to 24th March 2020.

Version: 1.7

Total IoCs: 552 (IPs:18, Hashes:304, URLs/domains/hostname:229, CVEs: 3). This update contains - #Part of APT36 and not directly connected to purpose of this IoC list.

Version 1.6

Total IoCs: 549 (IPs:18, Hashes:302, URLs/domains/hostname:226, CVEs: 3).

Version 1.5

Total IoCs: 520 (IPs: 18, Hashes: 283, URLs/domains/hostname: 219).

Version 1.4

Confidence file uploaded. All hash IoCs are verified.

Version: 1.3

Adding: Confidence score for attached IoCs. (Starting with hash).

Version: 1.2

Added: 1 file hash. Total now stands at: 431.

Version: 1.1

Total IoCs: 39 URLs (Most of these are defanged.) Total now stands at: 430.

Version: 1.01

Spell check and combined all IoCs under "All IoC" file.

Version: 1

Initial commit has 391 IoCs - 282 hashes, 93 URLs, and 16 IPs.