Exposing the New Potential Ways Royal Ransomware Gets Delivered
DEV-0569, a threat actor Microsoft has been monitoring, was recently observed deploying Royal ransomware via pages posing as legitimate software download sites and repositories, among other stealthy tactics. He has so far used fake download sites for Adobe Flash Player, AnyDesk, Zoom, and TeamViewer in phishing emails and domains.
WhoisXML API researchers built on a cybersquatting domain tagged by Microsoft as an indicator of compromise (IoC). We also looked at cybersquatting properties targeting impersonated software. Our study comprises three parts:
- IoC expansion: We found 3,100+ potential artifacts or domains connected to a Royal ransomware IoC.
- Artifact analysis: We analyzed the artifacts and found that more than 1% were malicious and continued to host or redirected to questionable websites.
- Malicious property investigation: We discovered five unredacted email addresses used to register some of the malicious connected domains. These email addresses were also used to register 387 domains.
A sample of the additional artifacts obtained from our analysis is available for download from our website.
From the single malicious domain Microsoft cited, we uncovered 3,126 domains connected through WHOIS record details and string usage. We discussed these in detail in the next section.
Uncovering WHOIS-Connected Artifacts
Microsoft’s report only provided anydeskos[.]com as an example of an attacker-created domain impersonating AnyDesk, whose official domain is anydesk[.]com. A WHOIS lookup for the cybersquatting domain revealed the following WHOIS information:
- Registrar: REGISTRAR OF DOMAIN NAMES REG.RU LLC
- Registrant contact details: Privacy-protected
- Registrant city: Moscow
- Registrant country: Netherlands
Whoever is behind anydeskos[.]com is potentially on a software impersonation spree. Most artifacts were cybersquatting domains targeting AnyDesk, Slack, Fortinet, TeamViewer, Zoom, and Discord.
Additionally, about 17% of the artifacts were flagged as malicious, including those imitating AnyDesk, just like the Royal ransomware IoC.
Threat Hunting Expansion to Include String-Connected Artifacts
The results of the IoC expansion and belief that the threat actor possibly impersonated other software prompted us to look for more domains potentially connected to the threat.
Using Domains & Subdomains Discovery, we searched for domains containing the names of impersonated software. Below is the breakdown of the cybersquatting properties added since 1 October 2022.
|Software||Search String||Number of Domains Added on
1 October – 4 December 2022
|Adobe Flash Player||Starts with“adobe”||287|
In total, we found 3,074 unique cybersquatting resources targeting the four products added in about two months. Dozens have already figured in malicious campaigns and are being detected by various malware engines.
Royal Ransomware Artifact Analysis
Through DNS lookups, we discovered that about 84% of the WHOIS- and string-connected artifacts had existing IP resolutions. IP Geolocation API further revealed that most were geolocated in the U.S., as reflected in the chart below. A quarter of the resolutions could be traced to Canada, the Netherlands, Germany, Russia, Australia, and 48 other countries.
The artifacts resolved to 2,091 unique IP addresses assigned to 306 Internet service providers (ISPs) worldwide. About 20% of the IP addresses belonged to Amazon, 14% to Google, and 13% to Cloudflare. The chart below shows the top 10 ISPs of the domains connected to the IoC we’re investigating.
Currently Active Malicious Artifacts
Over 1% of the artifacts we uncovered were flagged as malicious. Surprisingly, some remained active, hosting or redirecting to what might be considered suspicious web content. We provide a few examples of the malicious domains hosting login pages below.
Some content urged web visitors to use or download products.
A malicious Zoom domain appeared to warn visitors of a possible security issue with their connection.
Screenshot of authoritybrandingzoom[.]live
Expanding our website screenshot analysis to include connected domains that were not reported as malicious, we found that dozens behaved the same way as the Zoom-themed malicious domain. Here are a few examples.
Following the WHOIS Tracks of the Malicious Artifacts
We subjected the malicious artifacts to a bulk WHOIS lookup and found that most have been created only a few months ago. Moreover, more than half of them were managed by the registrar REG.RU LLC. The rest were distributed across six other registrars, including Namecheap, Google, Atak Domain, FastDomain, Upperlink, and Key-Systems GmbH.
While most of the malicious domains had redacted WHOIS records, we still found five unredacted registrant email addresses. These email addresses were used to register 387 other domains. These digital resources may require close observation because the same people behind the malicious properties registered them.
In fact, many of the connected resources appeared to be cybersquatting domains targeting the same websites as the Royal ransomware threat actors, specifically AnyDesk, TeamViewer, and Adobe. They also contained potentially deceptive words, such as “login” and “app,” and finance-themed text strings like “trading,” “bbva,” and “expensify.”
The threat actors behind Royal ransomware are targeting corporations and demanding payments amounting to as much as US$2 million. Once the malware encrypts files and appends the .royal extension to their names, there may be no turning back from the financial and reputational losses the attack causes.
Exposing as many ransomware delivery vehicles as possible, like the artifacts we uncovered in this study, is critical in protecting organizations and the general public against the threat.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.