Threat Research

Rounding Up the DNS Traces of RA World Ransomware

CircleID
Rounding Up the DNS Traces of RA World Ransomware
EXTRACT IOC
Symantec reported a China-based threat actor shifting from cyber espionage by installing backdoors to deploying RA World ransomware attacks, an unusual transition indicating shared tools between campaigns. Researchers uncovered multiple indicators of compromise connected to this campaign, significantly expanding the list of related artifacts. #RAWorldRansomware #CyberEspionage

Keypoints

  • A China-based threat actor previously involved in espionage has adopted RA World ransomware for recent attacks.
  • Symantec identified five initial indicators of compromise consisting of three domains and two IP addresses.
  • WhoisXML API expanded the IoC list to include 11 email-connected domains, two additional IP addresses, four IP-connected domains (one malicious), 12 string-connected domains, and 194 string-connected subdomains.
  • The three original domains were registered across 2017, 2023, and 2024, spanning three registrars and two countries including the U.S. and Iceland.
  • DNS and IP resolution histories revealed extensive domain and IP address connections, indicating a broad infrastructure footprint.
  • Historical WHOIS data showed 11 email addresses linked to the original domains, three being public, which connected to further email-related domains.
  • The expanded artifact set and IoC list provide a more comprehensive overview for detection and remediation efforts against this evolving threat.

MITRE Techniques

  • [T1136] Create Account – The threat actor likely created infrastructure-related accounts across multiple domains and email addresses linked via historical WHOIS records. (“…they had 11 email addresses in their historical WHOIS records…”)
  • [T1071] Application Layer Protocol – Use of domains and IPs for command and control or malicious communications as indicated by DNS/IP resolution histories (“…recorded 69 IP resolutions over time…”)
  • [T1190] Exploit Public-Facing Application – The use of backdoors and ransomware campaigns suggests exploitation of vulnerabilities to gain access.

Indicators of Compromise

  • [Domains] Initial three domains identified as IoCs—examples: blueskyanalytics[.]net, plus 11 email-connected domains and 12 string-connected domains.
  • [IP Addresses] Five IP addresses linked to the campaign—examples: 158[.]247[.]213[.]167, plus two additional IP addresses identified through DNS queries.
  • [Email Addresses] Eleven email addresses found in historical WHOIS records, including three public emails tied to related domains.
  • [Subdomains] 194 string-connected subdomains identified, amplifying the potential scope of the threat infrastructure.

Read more: https://circleid.com/posts/rounding-up-the-dns-traces-of-ra-world-ransomware

Views: 37

Tags: GOVERNMENT, CHINA, DNS, EXPLOIT, EMAIL