Home / Industry

Tracing BlackNet RAT’s History through a DNS Deep Dive

BlackNet RAT, first discovered during the COVID-19 pandemic and being distributed via spam messages offering an effective cure for the virus, seems to have outlived the global crisis. The remote access Trojan (RAT)‘s operators continued on with their nefarious activities. The BlackNet botnet was named one of the top botnets of the first quarter of 2023.

Throughout BlackNet RAT’s three years of operation, several researchers have analyzed and published reports about the malware. Alienvault OTX contributors collated thousands of indicators of compromise (IoCs) related to the threat.

The WhoisXML API research team expanded the published list of IoCs, specifically 54 IP addresses and 531 domains, to identify unreported artifacts, if any, using comprehensive DNS intelligence. Our analysis found:

  • 244 undisclosed IP resolutions, 33 of which turned out to be malicious based on malware checks
  • 697 email-connected domains, three of which turned out to be malicious based on a bulk malware check
  • 5,232 IP-connected domains, nine of which turned out to be malicious based on a bulk malware check

A sample of the additional artifacts obtained from our analysis is available for download from our website.

DNS Facts about the IoCs

We began our investigation by taking a closer look at the 585 IoCs in Alienvault OTX’s list.

A bulk WHOIS lookup for the 531 domains led to these findings:

  • The top registrars were GoDaddy.com (94 IoCs), Namecheap (45 IoCs), MarkMonitor (16 IoCs), Name Share and Wild West Domains (15 IoCs each), eNom (13 IoCs), FastDomain (12 IoCs), NameSilo (11 IoCs), Cloudflare (10 IoCs), OVH (8 IoCs), and Alibaba Cloud Computing (Beijing) and Tucows Domains (7 IoCs each). A total of 105 domains didn’t have public registrar information while the remaining 173 were spread across 58 other registrars.
  • The IoC-linked domains were created between 1986 and 2023. Given the widespread nature of the domains’ creation dates, we could infer that the BlackNet RAT operators didn’t discriminate when it came to the age of the properties they used to host malware-laden pages. Note, however, that 105 of the IoC-linked domains didn’t have viewable creation dates.

  • The U.S. (258 IoCs), Iceland (34 IoCs), and the U.K. (17 IoCs) were the domains’ top 3 registrant countries. A total of 125 IoC-linked domains didn’t have public registrant country information while the remaining 97 were spread across 34 other countries.

Next, we subjected the 54 IP addresses to a bulk IP geolocation lookup that uncovered these results:

  • The top Internet service provider (ISP) was Google, which accounted for eight IoCs. Fastly followed in second place with five IoCs. Akamai International, Cloudflare, DoD Network Information Center, and Microsoft shared the third spot with four IoCs each.
  • Thirty-eight of the IP address IoCs originated from the U.S., coincidentally the domain IoCs’ top registrant country. Japan and the U.K. rounded out the top 3 IP geolocation countries, accounting for four and three of the IoCs, respectively. The nine remaining IoCs were spread across six other countries.

IoC Expansion Analysis Findings

To uncover unreported potentially connected artifacts, we expanded the current list of IoCs published on Alienvault OTX.

WHOIS history searches for the 531 domains revealed that 495 of them had publicly available registrant email addresses in their historical WHOIS records.

Using these as reverse WHOIS search terms led to the discovery of 697 email-connected domains, three of which turned out to be malicious based on a bulk malware check. One, which led to a blank page, proved interesting in that it contained a popular URL shortening service’s brand name—go-bitly[.]com—even if a WHOIS lookup showed that it couldn’t be publicly attributed to the company.

Next, DNS lookups for the 531 domains led to the discovery of 244 IP addresses that weren’t included in the current IoC list, 33 of which turned out to be malicious based on malware checks.

We then subjected the 298 IP addresses—54 that have already been identified as IoCs and 244 additional IP resolutions—to reverse IP lookups. We found that 152 of them were seemingly dedicated hosts. Altogether, they hosted 5,232 domains that weren’t part of the current IoC list. Nine of the IP-connected domains turned out to be malicious based on a bulk malware check.

Two of the malicious IP-connected domains continued to host live content based on screenshot lookups.

Screenshot of malicious IP-connected domain pairdevice[.]gle
Screenshot of malicious IP-connected domain wyshop056[.]com

Our BlackNet RAT IoC list expansion analysis led to the discovery of 6,173 potentially connected artifacts, including 45 malicious web properties—33 IP addresses and 12 domains.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC