I've seen a few researchers publish the configured REvil C2 domain list for IOCs and just wanted to add some additional context that you may find useful...
1) The C2 domains configured may appear random across samples but if you sort the list and compare across history you will find that the domains are fairly static and that GOLD SOUTHFIELD has only produced 5 unique sets.
If you loosen strictness for uniqueness, It's really only two sets of distinct domain sets as three of the sets were the result of either minor tweaks to the two main lists, duplicate domain inclusion, and accidental inclusion of control characters.
2) The currently REvil C2 domain list contains 1,223 domains (1,221 unique) and has been used in configs since as early as 02/17/2020. I believe that many of the C2 domains configured are actually legitimate and are unrelated to GOLD SOUTHFIELD's operations.
I believe only one, or a small subset of these domains to be the true C2 server and the rest are simply used as decoys to thwart tracking. Many people may be in a rush to add the publicized domain list thinking they're high fidelity. They're not and may result in false positives.
3) If configured, the last thing the REvil ransomware does before exiting is communicate encryption info back to the C2 servers. This means, by the time you do see C2 traffic to these domains, It's already too late. The system(s) have already been encrypted.
Alerting on the C2 domains, or maybe even trying to do some type of process disruption based on the C2 domains doesn't make much sense.
4) In the case of the Kaseya REvil sample, the 'net' configuration value was set to false. This tells the REvil binary to NOT communicate the encryption details back to the C2.
So, if you are hoping to use the published C2 list to hunt for Kaseya-related REvil infections in your environment, you wont have much luck.
5) A better hunting method would be to look for the existence of the registry key "SOFTWARE\BlackLivesMatter" in either HKLM or HKCU. This has been the reg key leveraged by REvil since v2.04. Values stored in this key may appear random but they are not.
They typically only change when a new version of REvil is released. For the Kaseya sample (v2.07), the values stored in this key will be 'Ed7', 'QIeQ', '96Ia6', 'Ucr1RB', 'wJWsTYE', 'JmfOBvhb'.
This key and corresponding values are written to the registry prior to file encryption kicking off.
• • •
Missing some Tweet in this thread? You can try to
force a refresh