Home / Industry

Keeping Track of Ramnit through Artifact Expansion

Ramnit stands out as a malware as it continues to evolve and requires cybersecurity experts and law enforcement agents to stay alert. Variants have been recently detected, so that security companies such as Prevailion advise organizations to keep Ramnit on their radar. And so we did by expanding known Ramnit indicators of compromise (IoCs) with the help of domain and IP intelligence sources.

Discovering Artifacts from Ramnit IoCs

Like other malware families, Ramnit has several reported IoCs, some of which may have already been taken down or no longer exist. However, there could be other domains and IP addresses associated with these IoCs that can be obtained from historical WHOIS and DNS records. These are artifacts that may be worth looking into as well.

Gathering Ramnit IoCs

The first step is to collect domains and IP addresses tagged as Ramnit IoCs. We found six file hashes on VirusTotal:

  • d3aee3c8a586fc7ad2ea4240f43101fc787b37cb9f5afda41998abf28a06d8b6
  • ed9efbb541832ea30e50e1bf61d74159bfeb63a5772a6cae3c6cced8dbb41237
  • 0d3c4faa62d52cf7b4176f8f9861edf7f4e854b0be75757427022b29c0ad097a
  • db45b173fd7c248a53be7b8555e1e1033a8cc5cfb4755c12cfd65e60314aabc5
  • 463099cb3ca9fdd9c82a60747bff4438c6943546f3542cfb7bca6e1c5123caef
  • 1a18a25b3990a0cd00321d9526a4f588259712ee5cdc71f32b15a6610a672d1b

These Ramnit files contacted 58 domains and 16 IP addresses. Out of these IoCs, we picked 13 domains dubbed malicious or suspicious on more than one engine on VirusTotal. Furthermore, 11 of the IP addresses have been reported malicious, so we expanded on those as well.

Expanding Ramnit IoCs and Analyzing Artifacts

To find artifacts, we used the following domain and IP intelligence tools:

  • WHOIS History Search: Can help reveal unredacted historical WHOIS records. seven out of 13 domains have publicly available contact email addresses at some point in the past. Please refer to the second column in Table 1.
  • Reverse WHOIS Search: Returns all domain names that contain a specific keyword in their current or historical WHOIS records. For this investigation, we searched for domains that use the contact email addresses in their historical WHOIS records (see third column in Table 1).
  • Reverse IP Lookup: Provides a list of domains that once resolved to the IP addresses.
  • IP Netblocks API: Returns the IP ranges an IP address belongs to, as well as the company and autonomous system details.

Even though only eight domains contain publicly visible contact email addresses, more than 35,000 associated with these addresses were uncovered, as seen in Table 1 below. Moreover, two malicious domains (rikbrsqoyjjpb[.]com and sxavjnfrwwrq[.]com) share the same email address which is historically connected to 175 domains. The rest of the domains sharing the email address warrant further investigation.

Table 1. Artifacts from domains tagged as Ramnit IoCs reported malicious or suspicious on VirusTotal
Domain NamePublicly Visible Details Obtained
from WHOIS History Records
Number of Connected Domains
fget-career[.]comjg*****@gmail[.]com10,000+ historically
ilo[.]brenz[.]plMasked/Undisclosed/
chceoqemftwldiucf[.]comMasked/Undisclosed/
ghnsonrgujyymhvvg[.]combo*****@gmail[.]com10,000+ historically
ejnpulri[.]com[email protected]***[.]org5,477
swwqmpjpvdbxsjos[.]comMasked/Undisclosed/
usrfyjueaneumqx[.]comMasked/Undisclosed/
ahghbjoutgpituoybn[.]comni*****@sa***[.]ad[.]jp10,000+ historically
eakrbfndtxvub[.]comlo*****@aol[.]com49
rikbrsqoyjjpb[.]comya*****@ch*****.com175
sxavjnfrwwrq[.]comya*****@ch*****.com175
qdxbgtalumvj[.]comMasked/Undisclosed/
hshshshsussiiwuwyw[.]comMasked/Undisclosed/

Table 1: Artifacts from domains tagged as Ramnit IoCs reported malicious or suspicious on VirusTotal

A majority of the artifacts comprise random alphanumeric characters, a common feature of machine-generated domains. The image below shows the domains that share the same email address with eakrbfndtxvub[.]com. In addition, most of the malicious IP addresses in the study are tagged as generated by domain generation algorithms (DGA) in the reports.

Some subdomains also appear to be pertaining to nameservers and mail exchange (MX) servers.

The IP addresses Ramnit contacted, on the other hand, could be associated with 673 domain names. Note also that two of the malicious IP addresses (216.58.213[.]142 and 216.58.205[.]46) belong to the same parent IP block, 216.58.192[.]0 - 216.58.223[.]255. Other IP addresses belonging to the IP range or block could be worth looking into.

Table 2. Artifacts from IP addresses tagged as Ramnit IoCs and their respective IP ranges.
IP address# of connected domains
(Reverse IP Lookup)
IP Range(IP Netblocks API)
208.100.26.2511208.100.0[.]0 - 208.100.63[.]255
148.81.111.1210148.81.0[.]0 - 148.81.255[.]255
72.26.218[.]7013972.26.216[.]0 - 72.26.219[.]255
87.106.190[.]1534887.106.176[.]0 - 87.106.191[.]255
194.87.92[.]2040194.87.92[.]0 - 194.87.95[.]255
35.225.160[.]24547135.224.0[.]0 - 35.227.255[.]255
89.185.44[.]100089.185.44[.]0 - 89.185.47[.]255
216.58.213[.]1425216.58.213[.]0 - 216.58.213[.]255
172.217.5[.]2384172.217.5[.]0 - 172.217.5[.]255
104.18.25[.]2430104.18.16[.]0 - 104.18.31[.]255
216.58.205[.]465216.58.204[.]0 - 216.58.205[.]255

Here too, most of the domains appear to be machine-generated. The image below shows some examples.


We may not get rid of Ramnit anytime soon. But tracking and expanding linked IoCs can help identify artifacts of interest. Doing so can pave the way to a better understanding of the malware and how it spreads.

Are you a security researcher or investigator interested in the Ramnit-associated domains and IP addresses mentioned in this post? Contact us to learn more about how you can expand malware IoC lists with our data.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider – Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.  Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPXO

Brand Protection

Sponsored byAppdetex

Domain Management

Sponsored byMarkMonitor

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign