Share this page!

R3MRUM Profile picture
Twitter logo
5 Jul, 12 tweets, 2 min read
I've seen a few researchers publish the configured REvil C2 domain list for IOCs and just wanted to add some additional context that you may find useful...
1) The C2 domains configured may appear random across samples but if you sort the list and compare across history you will find that the domains are fairly static and that GOLD SOUTHFIELD has only produced 5 unique sets.
If you loosen strictness for uniqueness, It's really only two sets of distinct domain sets as three of the sets were the result of either minor tweaks to the two main lists, duplicate domain inclusion, and accidental inclusion of control characters.
2) The currently REvil C2 domain list contains 1,223 domains (1,221 unique) and has been used in configs since as early as 02/17/2020. I believe that many of the C2 domains configured are actually legitimate and are unrelated to GOLD SOUTHFIELD's operations.
I believe only one, or a small subset of these domains to be the true C2 server and the rest are simply used as decoys to thwart tracking. Many people may be in a rush to add the publicized domain list thinking they're high fidelity. They're not and may result in false positives.
3) If configured, the last thing the REvil ransomware does before exiting is communicate encryption info back to the C2 servers. This means, by the time you do see C2 traffic to these domains, It's already too late. The system(s) have already been encrypted.
Alerting on the C2 domains, or maybe even trying to do some type of process disruption based on the C2 domains doesn't make much sense.
4) In the case of the Kaseya REvil sample, the 'net' configuration value was set to false. This tells the REvil binary to NOT communicate the encryption details back to the C2.
So, if you are hoping to use the published C2 list to hunt for Kaseya-related REvil infections in your environment, you wont have much luck.
5) A better hunting method would be to look for the existence of the registry key "SOFTWARE\BlackLivesMatter" in either HKLM or HKCU. This has been the reg key leveraged by REvil since v2.04. Values stored in this key may appear random but they are not.
They typically only change when a new version of REvil is released. For the Kaseya sample (v2.07), the values stored in this key will be 'Ed7', 'QIeQ', '96Ia6', 'Ucr1RB', 'wJWsTYE', 'JmfOBvhb'.
This key and corresponding values are written to the registry prior to file encryption kicking off.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with R3MRUM

R3MRUM Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @R3MRUM has new unrolls!

Check out other threads from @R3MRUM!

Read all threads by @R3MRUM

:(