Tracing BlackNet RAT’s History through a DNS Deep Dive | WhoisXML API

Threat Reports

Tracing BlackNet RAT’s History through a DNS Deep Dive

BlackNet RAT has been plaguing users the world over since at least 2020. Back then, it came bundled with emails supposedly promoting a drug that could protect against COVID-19 infections.1

You would think that after the pandemic has passed, the malware would disappear, too. But it hasn’t. In fact, BlackNet RAT’s operators have moved on to far bigger things. Their existing botnet, in fact, remained a top threat in the first quarter of this year.2

Several researchers have publicized thousands of BlackNet RAT indicators of compromise (IoCs).3 Zooming in on and expanding a list of 585 IoCs—54 IP addresses and 531 domains—to find other potentially connected artifacts, the WhoisXML API research team found:

  • 244 undisclosed IP resolutions, 33 of which turned out to be malicious based on malware checks
  • 697 email-connected domains, three of which turned out to be malicious based on a bulk malware check
  • 5,232 IP-connected domains, nine of which turned out to be malicious based on a bulk malware check

Download a sample of the threat research materials now or contact us to access the complete set of research materials.

  • [1] https://www.malwarebytes.com/blog/news/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool
  • [2] https://decoded.avast.io/threatresearch/avast-q1-2023-threat-report/
  • [3] https://otx.alienvault.com/pulse/650d0c66e0b02a6dde4a8b7a
Try our WhoisXML API for free
Get started