These are OVH IP ranges, suballocated to a customer called Verelox.com. I think that Verelox is a legitimate but very small web host that has suffered a major compromise of their servers.
The first range is 220.127.116.11/29 which has apparently compromised servers at:
..you can see a dump of probably evil domains in this pastebin. The second range is 18.104.22.168/28 with apparently compromised servers at:
..you can see a list of those domains in this pastebin.
Registration details of the domains vary, including some that use the somewhat amusing email address firstname.lastname@example.org. Some of the .eu domains and the .xyz domains have contact details as follows:
Registrant ID: INTE54fjkzffmcv1
Registrant Name: Ramil Jamaletdinov
Registrant Street: Bolshaya str, 15, kv.12
Registrant City: Moscow
Registrant Postal Code: 105553
Registrant Country: RU
Registrant Phone: +7.90988766754
Registrant Phone Ext:
Registrant Fax: +7.
Registrant Fax Ext:
Registrant Email: email@example.com
I don't know if this person actually exists or indeed has anything to do with this, all searches come up blank.
In addition to this, some of these domains use nameservers on the following IP addresses:
These are allocated to Ramnode LLC in the US. I would suggest that they are under the control of the bad guys and are worth blocking traffic to.
Note that Cyphort identift these C&C servers for the malware:
The following IPs and domain names all seem to be connected and I would recommend blocking at least the IP addresses and domains in bold (the other domains look like they are probably throwaway ones):