This report delves into the evolving threat of Registered Domain Generation Algorithms (RDGAs), highlighting how these advanced mechanisms allow threat actors to register numerous domains quickly, complicating detection efforts. It features the implications of RDGA usage by criminal enterprises and potential challenges for cybersecurity measures. The report introduces the act of Revolver Rabbit, a key actor in the RDGA field, detailing its activities and infrastructure. Affected: malware, phishing, spam, scams, gambling, traffic distribution systems, virtual private networks, advertising.
Keypoints :
- Traditional DGAs used for malware distribution evolved into RDGAs.
- RDGAs allow actors to register multiple domain names efficiently.
- Actors use RDGAs for various malicious activities including phishing, gambling, and spam.
- Revolver Rabbit identified as a prominent actor with over 500K domains registered.
- Detection of RDGAs poses challenges due to their nature and sheer volume.
- Increased RDGA registrations were noted, averaging over 11K new domains per day.
- Security industry has largely overlooked RDGAs due to a lack of expertise and data.
MITRE Techniques :
- Command and Control (T1071) – RDGA used for establishing connections to command and control servers.
- Domain Generation Algorithm (T1071.001) – Registered DGA domains utilized for creating unique domain names.
- Data Obfuscation (T1001) – Use of complex and non-obvious domain names to evade detection.
Indicator of Compromise :
- [Domain] 6rnd9mitqt1rz82[.]top
- [Domain] h87e1mbm0u5f85[.]xyz
- [Domain] arriveplanetsnow[.]buzz
- [Domain] castrocountyjail[.]org
- [Domain] chopprousite[.]ru
Full Story: https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/