Infoblox Threat Intel released a study today on malicious actors using registered domain generation algorithms (RDGAs). Unlike traditional DGAs, RDGAs involve registering all generated domains. Infoblox first described this technique in October 2023. RDGAs help actors scale operations rapidly and evade detection. Since coining the term, Infoblox has published research demonstrating RDGAs in malware, malicious link shorteners (Prolific Puma), and traffic distribution systems.
Infoblox Threat Intel has developed multiple algorithms to discover and track RDGAs in the wild, including patent pending detection of emerging clusters of RDGA domains. With these detectors, Infoblox discovers tens of thousands of new domains every day, capturing them into clusters of actor-controlled assets. Most of these domains surprisingly go unnoticed by the security industry. In the new study of the RDGA threat landscape, Infoblox has found that the use of RDGAs has grown over the past few years and shows how domains created with them are used, including numerous examples from scams to malware.
The most remarkable example included is an RDGA controlled by the actor Infoblox named Revolver Rabbit. This actor has registered over 500,000 domains costing them over $1 million in registration fees. At the same time, discovering the purpose of these domains was a challenge. Infoblox Threat Intel has been tracking Revolver Rabbit for nearly a year but was stumped for months on the threat actor’s motivation. How can so many domains be registered without a trace of malicious activity? Recently Infoblox solved the puzzle: Revolver Rabbit uses the RDGA to create command and control (C2) and decoy domains for XLoader (aka Formbook) malware. This malware is an information stealer typically delivered via phishing emails. It must be a profitable malware for Revolver Rabbit given their investment in domain names. Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.
The landscape study shows that RDGAs are a formidable and underestimated threat. Actors can easily scale their spam, malware, and scam operations often without fear of detection by the security industry. Moreover, automation in the domain registration services makes it easy for cybercriminals to use an RDGA. The intent of the study is to raise awareness and shed light on the growing trend in malicious domain registrations.