ADHUBLLKA has been said to have ties to at least three malware—ransomware CryptoLocker, remote access Trojan (RAT) LimeRAT, and another ransomware GlobeImposter.1 Its operators may have incorporated the various parts of the three malware into their creation.
Forty-seven ADHUBLLKA indicators of compromise (IoCs)—11 domains,2 32 email addresses, and four email addresses—have been published so far. Our latest foray into the DNS led to additional artifacts. Here’s a summary of our findings.
- An additional registrant email address from an IoC’s current WHOIS record
- An additional IP resolution that turned out to be malicious based on a malware check
- 230 domains hosted on the seemingly dedicated IP addresses identified as IoCs, 18 of which have already been tagged as malicious based on a bulk malware check
- 200 domains starting with the string yip. akin to the sole non-Tor-hosted IoCs
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
—
- [1] https://netenrich.com/blog/discovering-the-adhubllka-ransomware-family
- [2] https://otx.alienvault.com/pulse/64ed8702c934a696bf575d76