Ramnit stands out as a malware as it continues to evolve and requires cybersecurity experts and law enforcement agents to stay alert. Variants have been recently detected, so that security companies such as Prevailion advise organizations to keep Ramnit on their radar. And so we did by expanding known Ramnit indicators of compromise (IoCs) with the help of domain and IP intelligence sources.

Discovering Artifacts from Ramnit IoCs

Like other malware families, Ramnit has several reported IoCs, some of which may have already been taken down or no longer exist. However, there could be other domains and IP addresses associated with these IoCs that can be obtained from historical WHOIS and DNS records. These are artifacts that may be worth looking into as well.

Gathering Ramnit IoCs

The first step is to collect domains and IP addresses tagged as Ramnit IoCs. We found six file hashes on VirusTotal:

• d3aee3c8a586fc7ad2ea4240f43101fc787b37cb9f5afda41998abf28a06d8b6
• ed9efbb541832ea30e50e1bf61d74159bfeb63a5772a6cae3c6cced8dbb41237
• 0d3c4faa62d52cf7b4176f8f9861edf7f4e854b0be75757427022b29c0ad097a
• db45b173fd7c248a53be7b8555e1e1033a8cc5cfb4755c12cfd65e60314aabc5
• 463099cb3ca9fdd9c82a60747bff4438c6943546f3542cfb7bca6e1c5123caef
• 1a18a25b3990a0cd00321d9526a4f588259712ee5cdc71f32b15a6610a672d1b

These Ramnit files contacted 58 domains and 16 IP addresses. Out of these IoCs, we picked 13 domains dubbed malicious or suspicious on more than one engine on VirusTotal. Furthermore, 11 of the IP addresses have been reported malicious, so we expanded on those as well.

Expanding Ramnit IoCs and Analyzing Artifacts

To find artifacts, we used the following domain and IP intelligence tools:

• WHOIS History Search: Can help reveal unredacted historical WHOIS records. seven out of 13 domains have publicly available contact email addresses at some point in the past. Please refer to the second column in Table 1.
• Reverse WHOIS Search: Returns all domain names that contain a specific keyword in their current or historical WHOIS records. For this investigation, we searched for domains that use the contact email addresses in their historical WHOIS records (see third column in Table 1).
• Reverse IP Lookup: Provides a list of domains that once resolved to the IP addresses.
• IP Netblocks API: Returns the IP ranges an IP address belongs to, as well as the company and autonomous system details.

Even though only eight domains contain publicly visible contact email addresses, more than 35,000 associated with these addresses were uncovered, as seen in Table 1 below. Moreover, two malicious domains (rikbrsqoyjjpb[.]com and sxavjnfrwwrq[.]com) share the same email address which is historically connected to 175 domains. The rest of the domains sharing the email address warrant further investigation.

Table 1: Artifacts from domains tagged as Ramnit IoCs reported malicious or suspicious on VirusTotal

A majority of the artifacts comprise random alphanumeric characters, a common feature of machine-generated domains. The image below shows the domains that share the same email address with eakrbfndtxvub[.]com. In addition, most of the malicious IP addresses in the study are tagged as generated by domain generation algorithms (DGA) in the reports.

Some subdomains also appear to be pertaining to nameservers and mail exchange (MX) servers.

The IP addresses Ramnit contacted, on the other hand, could be associated with 673 domain names. Note also that two of the malicious IP addresses (216.58.213[.]142 and 216.58.205[.]46) belong to the same parent IP block, 216.58.192[.]0 - 216.58.223[.]255. Other IP addresses belonging to the IP range or block could be worth looking into.

Here too, most of the domains appear to be machine-generated. The image below shows some examples.

We may not get rid of Ramnit anytime soon. But tracking and expanding linked IoCs can help identify artifacts of interest. Doing so can pave the way to a better understanding of the malware and how it spreads.

Are you a security researcher or investigator interested in the Ramnit-associated domains and IP addresses mentioned in this post? Contact us to learn more about how you can expand malware IoC lists with our data.