|
Security researcher Dancho Danchev discovered a portfolio of domains and IP addresses used by known threat actors in ransomware campaigns. The said portfolio consists of 62,763 domain names and 810 IP addresses. We analyzed a sample of these malicious properties using TIP and found that:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
With the help of TIP, we studied a sample of the malicious domain portfolio consisting of 2,500 domains. We determined their WHOIS data redaction status, domain age, administrative details, and location to help the cybersecurity community understand the malicious infrastructure.
Most of the domains had unredacted WHOIS records, with 72.7% of their registrant names publicly available.
Merely 6.6% of the domains had redacted WHOIS data, provided mainly by their registrars or WHOIS privacy services. About 20% of the fields were left blank, most of which pertained to .cn and .ir domains. That could mean the domains do not currently have active WHOIS records..
This analysis looked at two entity types—registrars and ISPs. The registrars are in charge of domain registration, while the ISPs oversee the IP addresses that are part of domain resolutions.
About 18% of the domains were registered through DropCatch, a domain registrar known for using an automated registration technique. Dynadot followed with a 12% share, while Tucows and the remaining top 10 registrars only accounted for less than 7% each. The rest of the domains, about 26%, were distributed across 227 other registrars.
About 54% of the sample had IP resolutions. Based on that, we determined that Team Internet AG was the top ISP, accounting for 10% of the resolutions. Amazon closely followed with a 9% share and Cloudflare with 8%. Liquid Web LLC, Google, and Abazarhaye Farsi Shabakeh (Persian Tools) Co., Ltd. accounted for 7% each. Sharktech, MOACK.Co.LTD, and Oath Holdings Inc., meanwhile, each accounted for 5% of the IP resolutions, while Trellian Pty. Limited for 3%. All in all, the top 10 ISPs accounted for 75% of the resolving resources. The remaining resolutions were distributed across 17 other ISPs.
As of 15 February 2023, most of the domains (36%) were less than a year old. They were, therefore, newly or recently registered when used by the threat actors. These domains were created sometime in 2022 up to the first two weeks of February 2023. In fact, about 19% of them were just created this year.
The domains created from 2021 to early 2022 made up 17% of the portfolio, while 12% were between 2—3 years old. The older the domains got, the fewer they figured in the malicious domain portfolio, although 18% were more than five years old. This trend can be seen in the chart below.
We looked at two location types—the registrant countries and their IP geolocation. The U.S. topped both lists, accounting for 34% of the domain registrations and about 60% of the IP resolutions. The remaining top countries on both lists differed.
Estonia (10.8%), the Cayman Islands (9.4%), Romania (7%), China (5.4%), Japan (5.4%), the Czech Republic (1%), Canada (.5%), Turkey (.4%), and Russia (.4%) were the top registrant countries, following the U.S. The top 10 accounted for 97% of the domain registrations, with only 3% spread across 24 other countries.
On the other hand, the remaining top IP geolocation countries were Canada (9.51%), Australia (8.09%), China (7.9%), Iran (7.41%), the Netherlands (1.54%), France (1.42%), Russia (.86%), the British Virgin Islands (.8%), and Germany (.62%). The remaining 2.10% of the resolutions originated from 17 other countries.
Despite being connected to known threat actors, less than 1% of the sample was found malicious. That left a considerable portion of the domain portfolio unreported and possibly accessible.
Still, knowing the domain infrastructure of a malicious domain can help the cybersecurity community recognize potential threats. To demonstrate, we analyzed watchyfilmy[.]com using TIP. The screenshot below shows a snapshot of the results.
The table below lists some notable infrastructure findings and warnings gleaned from TIP.
Check | TIP Findings |
---|---|
Malware | • The domain was flagged as a malware host. • When accessed, the domain http://watchfilmy[.]com redirected to http://ww7[.]watchfilmy[.]com/. |
Website content | • The domain continued to host live content despite being tagged as malicious. |
SSL | • TIP warned that the domain’s SSL certificate was recently obtained, specifically on 7 February 2023. • The domain also had SSL vulnerabilities and misconfigurations, such as using suboptimal cipher suites and lacking HTTPS protocol enforcement. |
WHOIS | • TIP detected that the domain was registered in an offshore country, specifically the Cayman Islands. |
Real-time blackhole | • The domain’s mail exchanger (MX) server had misconfigurations and was found on two blocklist sites, including Spamhaus. |
Mail server | • Email validation system Domain-based Message Authentication, Reporting, and Conformance (DMARC) is not configured. |
Name server | • The Start of Authority (SOA) record’s retry interval doesn’t follow best practices. |
By tracing known threat actors and the domains they owned, we learned more about their favored infrastructure setup. We also know that most of the domains in the portfolio had unredacted WHOIS data, so threat attribution may lead to threat discovery, as we find more domains through proactive monitoring.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix
Sponsored byDNIB.com