Cybersecurity company Infoblox Threat Intel has released a threat landscape study of malicious actors’ use of registered domain generation algorithms (RDGAs) today. The study’s intent is to raise awareness and shed light on the growing trend in malicious domain registrations.
An RDGA differs from the traditional malware domain generation algorithm (DGA) in that all the domains are registered. Infoblox was the first to describe the technique back in October 2023. Infoblox has since developed multiple algorithms to discover and track RDGAs in the wild, including patent-pending detection of emerging clusters of RDGA domains. With these detectors, Infoblox discovers tens of thousands of new domains every day, capturing them into clusters of actor-controlled assets. Most of these domains go unnoticed by the security industry.
RDGAs allow actors to scale their operations quickly and avoid detection. Since introducing the terminology, Infoblox has published research showing how RDGAs were used in malware, malicious link shorteners (Prolific Puma), and in traffic distribution systems (VexTrio Viper/Savvy Seahorse).
In the new study of the RDGA threat landscape, Infoblox reveals that the use of RDGAs has grown over the past few years and shows how domains created with them are used, including numerous examples from scams to malware.
The most remarkable example included is an RDGA controlled by the actor Infoblox named Revolver Rabbit. This actor has registered over 500,000 domains, costing them over USD1 million in registration fees. At the same time, discovering the purpose of these domains was a challenge. Infoblox Threat Intel has been tracking Revolver Rabbit for nearly a year but was stumped for months on the threat actor’s motivation. How can so many domains be registered without a trace of malicious activity?
Recently, Infoblox solved the puzzle: Revolver Rabbit uses the RDGA to create command and control (C2) and decoy domains for XLoader (aka Formbook) malware. This malware is an information stealer typically delivered via phishing emails. Given their investment in domain names, it must be profitable malware for Revolver Rabbit. Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.
The landscape study shows that RDGAs are a formidable and underestimated threat. Actors can easily scale their spam, malware, and scam operations, often and without fear of detection by the security industry. Moreover, automation in the domain registration services makes it easy for cybercriminals to use an RDGA.
You can read the full report here.