Home / Industry

Expanding the Conti Ransomware IoCs Using WHOIS and IP Clues

On 9 March 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added 98 indicators of compromise (IoCs) to their Conti ransomware alert page. WhoisXML API researchers examined these flagged domain names for recurring characteristics to uncover more artifacts. Among our findings are:

  • 270+ domains added since 1 March 2022 that share exact WHOIS details with the IoC domains
  • 25+ unique IP address resolutions of the 98 domain IoCs
  • 300+ additional domains resolving to the same IP addresses as the domain IoCs
  • Over a dozen connected domains flagged as malicious

You may download a sample of the data related to Conti ransomware from our website.

Characteristics of the Conti Ransomware IoCs

A majority of the domain IoCs share the same lexical features in that they don’t seem to be English words and follow a succession of consonant-vowel patterns. Below are a few examples.

  • bumoyez[.]com
  • bupula[.]com
  • cajeti[.]com
  • cilomum[.]com
  • dirupun[.]com
  • dohigu[.]com
  • gucunug[.]com
  • guvafe[.]com
  • hakakor[.]com
  • hejalij[.]com
WHOIS Characteristics

While all the domains CISA added had redacted WHOIS records, some registration details still stood out because they recur across the web properties. The bulk WHOIS lookup results highlight this, as shown partially by the screenshot below.

Most of the 98 domain IoCs had identical patterns in their WHOIS record details, including:

  • Registrar: Namecheap
  • Nameserver: dns1[.]registrar-servers[.]com and dns2[.]egistrar-servers[.]com
  • Registrant name: Redacted for Privacy
  • Registrant country: Iceland

Each WHOIS detail may not be valuable when taken individually. But when analyzed together, they may add more context and help us uncover additional connected domains.

Domain Artifacts from Shared WHOIS Characteristics

We uncovered hundreds of artifacts using the key recurring WHOIS details listed above as reverse WHOIS search strings. These additional domains were created between 1 March and 17 April 2022. Some domains that followed the IoCs’ lexical features include:

  • kerikon[.]com
  • joderica[.]com
  • derizera[.]com
  • cedisale[.]com
  • ferizera[.]com
  • kerikon[.]com

Some artifacts use strings related to popular companies and brands, including:

  • craigslistmatch[.]com
  • hotsmal[.]com
  • matchcraigslist[.]com
  • vueling-airline[.]com
  • windows11-infoserver011[.]com

IP Resolutions of the Domain IoCs

We also did an IP analysis of the domain IoCs by subjecting them to a bulk geolocation lookup to retrieve their IP resolutions. Only 29.6% of the domains resolved to IP addresses. Most of the IP addresses belonged to the 23.0.0.0—23.255.255.255 IP range assigned to Leaseweb USA, Inc.

Domain Artifacts from Shared IP Addresses

Using the domain IoCs’ IP addresses as search terms, we found more than 300 additional domains via reverse IP/DNS lookups. While some of the domains may resolve to the same IP addresses coincidentally, a few also shared the same WHOIS characteristics as the domain IoCs. Aside from this similarity, some also had the same lexical feature, including:

  • dihaxim[.]com
  • sorabet[.]com
  • tafobi[.]com

Malicious Artifacts Uncovered

Through WHOIS and IP connections, we found more than 500 additional domains that could be part of the Conti ransomware network. Some of these domains may be false positives, but we can’t discount the fact that a few have already figured in malicious activities. In particular, over a dozen artifacts are present in malware engine platforms.


Analyzing threats in the context of shared WHOIS and IP characteristics can help detect potentially malicious domains early—before threat actors can use them in campaigns. For instance, the additional domains we uncovered in this analysis can be fed into security systems for monitoring to alert security teams when they appear in the network.

If you are a threat researcher or cybersecurity professional interested in the Conti ransomware IoCs and artifacts presented in this study, please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

DNS

Sponsored byDNIB.com

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign