A cybercriminal gang that researchers track as Revolver Rabbit has registered more than 500,000 domain names for infostealer campaigns that target Windows and macOS systems.
To operate at such scale, the threat actor relies on registered domain generation algorithms (RDGAs), an automated method that allows registering multiple domain names in an instant.
RDGAs are similar to the domain registration algorithms (DGAs) that cybercriminals implement in malware to create a list of potential destinations for command and control (C2) communication.
One difference between the two is that DGAs are embedded in the malware strains and only some of the generated domains are registered, yet RDGAs remain with the threat actor, and all domains are registered.
While researchers can discover DGAs and try to reverse engineer them to learn the potential C2 domains, RDGAs are secret, and finding the pattern for generating the domains to register becomes a more challenging task.
Revolver Rabbit runs over 500,000 domains
Researchers at DNS-focused security vendor Infoblox discovered that Revolver Rabbit has been using RDGAs to buy hundreds of thousands of domains, which amounts to more than $1 million in registration fees.
The threat actor is distributing the XLoader info-stealing malware, the successor of Formbook, with variants for Windows and macOS systems to collect sensitive information or execute malicious files.
Infoblox says that Revolver Rabbit is controlling more than 500,000 .BOND top-level domains that are used to create both decoy and live C2 servers for the malware.
Renée Burton, VP of Threat Intel at Infoblox, told BleepingComputer that .BOND domains related to Revolver Rabbit are the easiest to see but the threat actor has registered more than 700,000 domains over time, on multiple TLDs.
Considering that the price of a .BOND domain is around $2, the “investment” Revolver Rabbit made in their XLoader operation is close to $1 million, excluding past purchases or domains on other TLDs.
“The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash,” Infoblox
The domains are typically easy to read, appear to focus on a particular topic or region, and show a wide variety, as seen in the examples below:
- usa-online-degree-29o[.]bond
- bra-portable-air-conditioner-9o[.]bond
- uk-river-cruises-8n[.]bond
- ai-courses-17621[.]bond
- app-software-development-training-52686[.]bond
- assisted-living-11607[.]bond
- online-jobs-42681[.]bond
- perfumes-76753[.]bond
- security-surveillance-cameras-42345[.]bond
- yoga-classes-35904[.]bond
The researchers say that “connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.”
Infoblox has been tracking Revolver Rabbit for nearly a year but the use of RDGAs concealed the threat actor’s objective until recently.
Campaigns from this adversary have been observed in the past but without making a connection to an operation as large as Infoblox uncovered.
For instance, the malware analysis tool from incident response firm Security Joes provides technical details on a Formbook infostealer sample that has more than 60 decoy C2 servers but only one domain in the .BOND TLD is the real one.
Multiple threat actors are using RDGAs for malicious operations that range from malware delivery and phishing to spam campaigns, and scams, and routing traffic to malicious locations via traffic distribution systems (TDSs).
Source: www.bleepingcomputer.com