Security researcher Dancho Danchev discovered a portfolio of domains and IP addresses used by known threat actors in ransomware campaigns. The said portfolio consists of 62,763 domain names and 810 IP addresses. We analyzed a sample of these malicious properties using TIP and found that:

• Threat attribution and subsequent threat discovery can be made easier since 72.7% of the domains had unredacted WHOIS records.
• DropCatch was the top registrar, while Team Internet AG was the leading ISP of the resolving properties.
• About 36% of the domains were less than a year old and newly registered upon weaponization.
• The U.S. was the top registrant country and IP geolocation.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Infrastructure Analysis

With the help of TIP, we studied a sample of the malicious domain portfolio consisting of 2,500 domains. We determined their WHOIS data redaction status, domain age, administrative details, and location to help the cybersecurity community understand the malicious infrastructure.

How Easily Can We Perform Threat Attribution?

Most of the domains had unredacted WHOIS records, with 72.7% of their registrant names publicly available.

Merely 6.6% of the domains had redacted WHOIS data, provided mainly by their registrars or WHOIS privacy services. About 20% of the fields were left blank, most of which pertained to .cn and .ir domains. That could mean the domains do not currently have active WHOIS records..

What Organizations Are Responsible for Domain Administration?

This analysis looked at two entity types—registrars and ISPs. The registrars are in charge of domain registration, while the ISPs oversee the IP addresses that are part of domain resolutions.

About 18% of the domains were registered through DropCatch, a domain registrar known for using an automated registration technique. Dynadot followed with a 12% share, while Tucows and the remaining top 10 registrars only accounted for less than 7% each. The rest of the domains, about 26%, were distributed across 227 other registrars.

About 54% of the sample had IP resolutions. Based on that, we determined that Team Internet AG was the top ISP, accounting for 10% of the resolutions. Amazon closely followed with a 9% share and Cloudflare with 8%. Liquid Web LLC, Google, and Abazarhaye Farsi Shabakeh (Persian Tools) Co., Ltd. accounted for 7% each. Sharktech, MOACK.Co.LTD, and Oath Holdings Inc., meanwhile, each accounted for 5% of the IP resolutions, while Trellian Pty. Limited for 3%. All in all, the top 10 ISPs accounted for 75% of the resolving resources. The remaining resolutions were distributed across 17 other ISPs.

How Old Are the Domains?

As of 15 February 2023, most of the domains (36%) were less than a year old. They were, therefore, newly or recently registered when used by the threat actors. These domains were created sometime in 2022 up to the first two weeks of February 2023. In fact, about 19% of them were just created this year.

The domains created from 2021 to early 2022 made up 17% of the portfolio, while 12% were between 2—3 years old. The older the domains got, the fewer they figured in the malicious domain portfolio, although 18% were more than five years old. This trend can be seen in the chart below.

Where Are the Domains Located?

We looked at two location types—the registrant countries and their IP geolocation. The U.S. topped both lists, accounting for 34% of the domain registrations and about 60% of the IP resolutions. The remaining top countries on both lists differed.

Estonia (10.8%), the Cayman Islands (9.4%), Romania (7%), China (5.4%), Japan (5.4%), the Czech Republic (1%), Canada (.5%), Turkey (.4%), and Russia (.4%) were the top registrant countries, following the U.S. The top 10 accounted for 97% of the domain registrations, with only 3% spread across 24 other countries.

On the other hand, the remaining top IP geolocation countries were Canada (9.51%), Australia (8.09%), China (7.9%), Iran (7.41%), the Netherlands (1.54%), France (1.42%), Russia (.86%), the British Virgin Islands (.8%), and Germany (.62%). The remaining 2.10% of the resolutions originated from 17 other countries.

The Anatomy of a Malicious Domain

Despite being connected to known threat actors, less than 1% of the sample was found malicious. That left a considerable portion of the domain portfolio unreported and possibly accessible.

Still, knowing the domain infrastructure of a malicious domain can help the cybersecurity community recognize potential threats. To demonstrate, we analyzed watchyfilmy[.]com using TIP. The screenshot below shows a snapshot of the results.

The table below lists some notable infrastructure findings and warnings gleaned from TIP.

By tracing known threat actors and the domains they owned, we learned more about their favored infrastructure setup. We also know that most of the domains in the portfolio had unredacted WHOIS data, so threat attribution may lead to threat discovery, as we find more domains through proactive monitoring.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.