Symantec recently reported that a China-based threat actor who has been involved in installing backdoors in the systems of target government institutions (i.e., cyber espionage) has turned toward spreading RA World ransomware (i.e., a cybercriminal act) this time. Going from one act to the other is not usual for attackers. Why did the researchers think that was the case? Because the tools involved in China-linked espionage campaigns were used in a recent ransomware attack.

The report identified five indicators of compromise (IoCs) comprising three domains and two IP addresses. WhoisXML API expanded the current list of IoCs and uncovered other connected artifacts, namely:

• 11 email-connected domains
• Two additional IP addresses
• Four IP-connected domains, one of which turned out to be malicious
• 12 string-connected domains
• 194 string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Behind the RA World IoCs

Before going into expanding the current list of IoCs, we took a closer look at its contents first.

We started by querying the three domains identified as IoCs on Bulk WHOIS API and found that:

• One domain each was created in 2017, 2023, and 2024.

  

• The three domains were split across three registrars—GoDaddy, Namecheap, and NameSilo.

  

• The three domains were registered in two countries led by the U.S., which accounted for two of them. The last domain was registered in Iceland.

  

A DNS Chronicle API query for the three domains tagged as IoCs showed that only two had historical IP resolutions. In particular, they recorded 69 IP resolutions over time. The domain blueskyanalytics[.]net posted the older first IP resolution—2 December 2019.

We then took a closer look at the two IP addresses identified as IoCs by querying them on Bulk IP Geolocation Lookup. Our findings revealed that:

• One IP address each was geolocated in South Korea and the U.S.

  

• The IP addresses were administered by two registrars—Kaopu Cloud HK and The Constant Company.

  

We queried the two IP addresses tagged as IoCs on DNS Chronicle API as well. They recorded 26 domain resolutions over time. The IP address 158[.]247[.]213[.]167 posted the older IP resolution date—5 October 2019.

RA World IoC List Expansion Analysis Findings

We began our search for potentially connected artifacts by querying the three domains identified as IoCs on WHOIS History API. Our findings showed that altogether, they had 11 email addresses in their historical WHOIS records. Closer scrutiny of these addresses revealed that three were public email addresses.

We then queried the three public email addresses on Reverse WHOIS API. While no domains had any of them in their current WHOIS record, all three did appear in the historical WHOIS records of 11 email-connected domains after duplicates and those already identified as IoCs were filtered out.

Next, a DNS Lookup API query for the three domains tagged as IoCs showed that two actively resolved to two additional IP addresses after those already identified as IoCs were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.