Threat Research

RDGAs: The New Face of Domain Generation Algorithms | Infoblox

Securonix

RDGAs are the new face of DGAs, generating and registering large sets of domains for long‑term command-and-control campaigns. Infoblox notes a shift from traditional DGAs to registered DGAs, with aging domains to build credibility and evade detection. #RDGA #Sparkle

Keypoints

  • RDGA is a registered version of a Domain Generation Algorithm where domains are registered and then used over time for C2 operations.
  • Infoblox has tracked DGAs since 2015 and developed detection algorithms to proactively block and long-term track DGA networks.
  • RDGAs age registered domains for weeks or months, sometimes to build credibility before use in campaigns.
  • Examples include Sparkle payload campaigns and domains impersonating Steam’s Community site, showing varied deployment scenarios.
  • Because RDGAs produce far fewer NXDOMAIN responses, they are harder to detect and block compared to traditional DGAs.
  • RDGAs have grown in use, with actors maintaining tens of thousands to over 80k domains and thousands added daily to block lists.

MITRE Techniques

  • [T1583] Acquire Infrastructure – The actor uses registered domains generated/registered for long-term C2; ‘generate large numbers of domains used by threat actors for command and control (C2) operations’.
  • [T1071.004] Application Layer Protocol: DNS – C2 communications are conducted via DNS using RDGA/DGA-generated domains; ‘the threat actors are using DNS to orchestrate complex campaigns’ (inferred from RDGA domain usage).

Indicators of Compromise

  • [Domain] Sample RDGA domains used by actors – 333cc777cc.com, 5336767ccc.com, and 3 more (a558877aa.com, dd12345bb.com, ggggg13677.com)
  • [Domain] Steam Community impersonation domains – steamcomminlty.ru, steamcommunitiy.ru, sleamconnmunity.ru, staemcammunlty.ru
  • [Domain] RDGA redirection/obfuscation domains – bjibnpgku.com, enycayeobyiktuo.com, jgleqolq.xyz, nbykjinswdtbrrb.com, omklefkior.com
  • [Domain] DDGA/VexTrio‑related domains – herearmyelse.live, aimkeensuch.live, wigstopbiz.live, pettestpage.live, dutysitkeep.live

Read more: https://blogs.infoblox.com/cyber-threat-intelligence/rdgas-the-new-face-of-dgas/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint