To host command and control (C2) servers, distribute malware, or perform other malicious activities, hackers need a domain name. They can automate the process of obtaining domain names with a Domain Generation Algorithm (DGA). However, to actually be able to use these domains, they also need to register them with a domain registrar.
To do that, one group of hackers started using Registered Domain Generation Algorithms (RDGAs), which appears, unfortunately, to be working.
Cybersecurity researchers from Infoblox Threat Intel reported a threat actor dubbed Revolver Rabbit has registered over 500,000 domains this way – which would have required them to invest at least a million dollars, which is quite the sum of money.
A profitable endeavor
The hacker used the RDGA to create command and control (C2) and decoy domains for the XLoader infostealing malware.
XLoader is a versatile and potent piece of malware that serves multiple functions, including data theft, credential stealing, and functioning as a remote access Trojan (RAT). It is an evolution of the notorious FormBook malware, which was also known for its information-stealing capabilities. XLoader has been used in various cybercriminal campaigns, often targeting both Windows and macOS platforms.
“It must be a profitable malware for Revolver Rabbit given their investment in domain names” the researchers said. “Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.”
Infoblox’s report concluded that RDGAs are a “formidable and underestimated” threat. By using the novel technique, threat actors can easily scale their spam, malware, and scam operations, most of the time flying below the cybersecurity industry’s radars. In fact, Infoblox regularly discovers “tens of thousands of new domains”, which are then captured into clusters of actor-controlled assets.
Most of these domains, the researchers claim, go unnoticed by the security industry. Revolver Rabbit’s activity was ongoing for almost a year and it wasn’t flagged for being malicious.
