Thursday, December 5, 2024
HomeCyber AttackHackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Published on

SIEM as a Service

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. 

Such domains are capable of pretending to be trusted entities, which helps to make individuals disclose their sensitive details or download harmful content.

Cybersecurity researchers at InfoBlox recently discovered that hackers have registered more than 500k domains by using Registered Domain Generation Algorithms for extensive cyber attacks.

- Advertisement - SIEM as a Service

Hackers Registered 500k+ Domains

Registered Domain Generation Algorithms (RDGAs) are an evolution of the traditional DGAs that threat actors have used to register domains secretly, numbering up to millions.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

On the other hand, unlike malware-based DGAs, RDGAs are flexible and can be used for various malicious purposes, such as phishing, malware, and scams.

Besides this, researchers unveiled Revolver Rabbit, an RDGA threat actor associated with XLoader malware, and Hancitor malware’s long-time use of RDGA for C2 Cross-Domain Identity Management.

They utilize harder-to-detect RDGAs as opposed to traditional DGAs, and criminal groups and legitimate businesses apply them. Some registrars even provide Cross-Domain Identity Management services.

Difference in domain registration behaviors of traditional DGAs and registered DGAs (Source – InfoBlox)

This new technique significantly alters the DNS threat landscape, creating more challenges in cybersecurity.

RDGAs vary from traditional DGAs in that they are used to register many domains privately.

Due to the complicated patterns exhibited by RDGAs, which range from random characters to constructed word combinations, detecting them is difficult without massive DNS data analysis.

The case study of Hancitor malware shows how RDGAs turned into C2 domain generators and adopted a repeated character pattern like typical English words.

Infoblox created a statistical model in 2018 for preemptively identifying and blocking domains created by Hancitor’s RDGA, which helps underscore the need for advanced detection techniques for these maturing threats.

Revolver Rabbit, a famous horn-stepper from RDGA, has registered more than 500,000 domains on the .bond TLD alone by using changeable patterns that mix up dictionary words, numbers, and country codes.

It is important to note that these actors’ domains have been linked to XLoader malware, which reminds us of the significance of RDGA detection.

During the six-month period in question, around 2 million unique RDGA domains were detected at an average rate of 11,000 new ones per day in approximately 52,000 actor groups.

Manual research is ineffective as of the magnitude and intricacy of RDGA operations, consequently, automatic detection must remain the frontline defense against such threats.

Organizations should be aware of multiple malicious activities associated with RDGAs and implement advanced DNS analytics-based security solutions for their networks.

Indicators Of Activity

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Raga Varshini
Raga Varshini
Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Weaponized Word Documents Attacking Windows Users to Deliver NetSupport & BurnsRAT

The threat actors distributed malicious JS scripts disguised as legitimate business documents, primarily in...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...