Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities.
Such domains are capable of pretending to be trusted entities, which helps to make individuals disclose their sensitive details or download harmful content.
Cybersecurity researchers at InfoBlox recently discovered that hackers have registered more than 500k domains by using Registered Domain Generation Algorithms for extensive cyber attacks.
Hackers Registered 500k+ Domains
Registered Domain Generation Algorithms (RDGAs) are an evolution of the traditional DGAs that threat actors have used to register domains secretly, numbering up to millions.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
On the other hand, unlike malware-based DGAs, RDGAs are flexible and can be used for various malicious purposes, such as phishing, malware, and scams.
Besides this, researchers unveiled Revolver Rabbit, an RDGA threat actor associated with XLoader malware, and Hancitor malware’s long-time use of RDGA for C2 Cross-Domain Identity Management.
They utilize harder-to-detect RDGAs as opposed to traditional DGAs, and criminal groups and legitimate businesses apply them. Some registrars even provide Cross-Domain Identity Management services.
This new technique significantly alters the DNS threat landscape, creating more challenges in cybersecurity.
RDGAs vary from traditional DGAs in that they are used to register many domains privately.
Due to the complicated patterns exhibited by RDGAs, which range from random characters to constructed word combinations, detecting them is difficult without massive DNS data analysis.
The case study of Hancitor malware shows how RDGAs turned into C2 domain generators and adopted a repeated character pattern like typical English words.
Infoblox created a statistical model in 2018 for preemptively identifying and blocking domains created by Hancitor’s RDGA, which helps underscore the need for advanced detection techniques for these maturing threats.
Revolver Rabbit, a famous horn-stepper from RDGA, has registered more than 500,000 domains on the .bond TLD alone by using changeable patterns that mix up dictionary words, numbers, and country codes.
It is important to note that these actors’ domains have been linked to XLoader malware, which reminds us of the significance of RDGA detection.
During the six-month period in question, around 2 million unique RDGA domains were detected at an average rate of 11,000 new ones per day in approximately 52,000 actor groups.
Manual research is ineffective as of the magnitude and intricacy of RDGA operations, consequently, automatic detection must remain the frontline defense against such threats.
Organizations should be aware of multiple malicious activities associated with RDGAs and implement advanced DNS analytics-based security solutions for their networks.
Indicators Of Activity
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.