Friday, July 19, 2024

RA World Ransomware Attack Windows Using Hacked Domain Control & Anti-AV Tactics

Threat actors use hacked domain control to host malicious content by leveraging legitimate domains to evade detection by security measures. 

Anti-AV tactics are employed to bypass the antivirus software and tools that enable the execution of malicious code without detection.

Together, all these tactics enhance the stealth and effectiveness of cyber attacks, allowing threat actors to compromise systems and steal sensitive information more easily.

Recently, cybersecurity researchers at Trend Micro discovered that RA World (previously the RA Group) ransomware has been attacking Windows using hacked domains and Anti-AV tactics.

RA World Ransomware Attack

The RA World ransomware, once known as the RA Group, broke into global organizations in April 2023. 

Researchers identified that this ransomware group mainly targeted US firms, but besides the US firms, it also struck in-

  • Germany
  • India
  • Taiwan

This ransomware group mainly targets healthcare, insurance, and financial businesses.

RA World operators’ breach through compromised domain controllers allowed the components in SYSVOL to be dropped for GPO. 

The deployment of Stage1.exe via PowerShell indicated altered Group Policy settings enabling script execution.

The malware may have infiltrated Group Policy, allowing it to run on multiple machines within the domain.

Attack chain (Source – Trend Micro)

Here, Stage1.exe scans for the domain controllers by halting if conditions are met, like the matching host names.

It also checks for Finish.exe and Exclude.exe in %WINDIR%\Help, which indicates the past compromise or exclusion.

Stage1.exe (Source – Trend Micro)

Ransomware checks for Stage2.exe in %WINDIR%\Help.

If absent then it copies pay.txt and Stage2.exe from a hardcoded SYSVOL Path which indicates a targeted attack with a company domain name. 

This strategy involves initial payload presence on one machine, then execution on others via Group Policies which helps in revealing a multi-stage approach to compromise the network targeted.

  • T1543.003 – The program checks for safe mode, then creates MSOfficeRunOncelsls service with Stage2.exe, configuring it for Safe Mode with Networking. 
  • T1562.009 – It configures BCD for Safe Mode, starts the machine. If already in Safe Mode, Stage2.exe decrypts pay.txt to Stage3.exe, the ransomware payload. 
  • T1070.004 – After execution, cleanup deletes remnants and creates registry keys. 

In stage 3 the RA World ransomware (Stage3.exe) deploys and drops the Finish.exe which creates the mutex.

The ransom note includes a list of recent victims of extortion tactics.

Ransom note (Source – Trend Micro)

T1485 – RA World deploys SD.bat to wipe the Trend Micro folder by using WMIC for disk info and leaving a log.

Besides this, T1070 – After deletion, the ransomware removes Safe Mode with the Networking option. T1529 – It forcibly reboots the computer. 

Babuk ‘retired’ in 2021, but leaked source code fuels new threats like RA World. Combined with Ransomware-as-a-Service, this lowers the entry barrier for less skilled cyber criminals.


Here below we have mentioned all the recommendations:-

  • Limit administrative rights to employees.
  • Keep security products updated.
  • Back up essential data routinely.
  • Exercise caution with emails, attachments, URLs, and program execution.
  • Encourage users to report suspicious emails and files promptly.
  • Regularly educate users on social engineering risks.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter


Latest articles

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,'...

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users,...

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have...

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles