Everyone loves a good whodunit. As the story of the recent attacks on MGM International and Caesars Entertainment unfolded, major news outlets competed to attribute an attacker to the ransomware that shut down a large portion of MGM operations. In the end, it looks like a threat actor called Scattered Spider leveraged the services of another threat actor called ALPHV, or BlackCat, to steal sensitive data and compel the company to disconnect networks from the internet.1 The term actor is used to neutrally describe an entity which might be an individual, a company, a group, or a nation state. The security industry is rich with names for malicious actors and every organization in the field typically has their own naming conventions, which leads to multiple names like BlackCat and ALPHV for the same actor. Regardless of the naming convention, the names that are regularly reported are almost always associated with malware. In other words, the way in which malicious activity is attributed to an actor is deeply connected to what malware they use, how and where they deploy it, and the capabilities of the malware. When various malware or hacking campaigns can be tied back to an identity, it helps fulfill a natural desire to understand the motivations behind attacks – and it puts a name to the culprit.
At Infoblox, we also track malicious actors, but we have found that the actors we track rarely align with those reported by others in the industry. Since the vast majority of players in the security field, whether commercial, government agencies, or non-profit organizations, are focused on investigating malware, the reporting on the topic and its related actors is extensive. On the other hand, while over 90% of all malware leverages the domain name system (DNS) according to the National Security Agency (NSA), there are very few companies that specialize in DNS and even fewer that report research derived from DNS.2 As a result, the actors who control the DNS infrastructure used in these attacks are rarely distinguished from the malware, when in reality they are often distinct.
Just as Scattered Spider used ransomware specialist BlackCat to attack MGM, there are threat actors that provide DNS infrastructure, meaning domain names and hosting, to malware actors. The relationships between these domains and IP addresses may be difficult to recognize, and the infrastructure may be entirely separate from any specific malware. We specialize in tracking these relationships and term the actors who control DNS infrastructure for nefarious purposes DNS threat actors.
While they have been around for decades, DNS threat actors are generally unrecognized in the security community. We find that these actors are often able to maintain a malicious infrastructure for years with little notice from security vendors; the domain names they control may even be considered “reputable” in major open source reputation checkers. As an example, in July 2022, we published on VexTrio, a DNS threat actor that uses a dictionary domain generation algorithm (DDGA) to continually grow its network. At the time of that first publication, VexTrio had been operating for over two years to deliver different types of malware, adware, and scams. Since then, others have reported on the malware distributed by VexTrio, but without making the connection to VexTrio itself.3 Because we are monitoring the VexTrio network from a DNS perspective, our customers are protected, independent of the malware. VexTrio domain names continue to be unrecognized by most security vendors because their focus is not DNS, but rather malware or phishing. Others capture the landing page, or the malware, but not the delivery itself. As of this writing, Infoblox has detected nearly 60,000 domain names controlled by VexTrio. Since our publication in 2022, some vendors have begun detecting VexTrio domains, e.g., trueworeover[.]live, as “greyware”, but do not recognize the malicious nature of their activities.
To shed light on these operations being executed in the shadows, we are introducing the concept of DNS threat actors and plan to publish reports on some of the actors we track. Monitoring DNS threat actors allows us to identify related infrastructure and detect new domains and IP addresses as they emerge. The use of a DNS detection and response (DNS-DR) system, like BloxOne Threat Defense, then allows us to block the distribution of malware, phishing, scams, and illegal content before they even reach the end user. We are also developing more ways for our customers to interact with our DNS threat actor data to find forensic insights related to their own network.
Associating a type of malware or a campaign to a malware threat actor can sometimes be straightforward, but will oftentimes require sophisticated analysis. The same is true of DNS threat actors. In some cases, the DNS actor might use dedicated nameservers which persist over time, but more often, determining whether a domain name or IP address is controlled by an actor can be a complex process. For example, one way we were able to distinguish domains controlled by different actors using the Decoy Dog malware kit was to use DNS logs to statistically identify the sleep time they had configured for compromised devices. In another recent example, attacks using iMessage texts that contained fake package delivery notifications from the U.S. Postal Service were attributed to a Chinese actor and associated to a specific domain registrar and hosting service provider in open source reporting. From our DNS perspective, however, we had detected those lookalike phishing domains as part of a larger set of activities using additional registrars and hosting providers. As the originally reported activity was thwarted, we were able to observe them sending iMessage spam that contained other domains we had flagged. In this case, a combination of timing and domain name properties had led to our decision to group the domains together prior to the public reporting.
Also, similar to the malware criminal underground, many of the DNS threat actors we track are unnamed. We begin with sets of related domains and IP addresses, and over time we build these into more sophisticated DNS threat actor profiles to be monitored and named. Our focus for long-term tracking is on actors who have persisted over a year, although there are some actors we track who have been active for shorter times. In some cases we can determine the types of malicious activity the actor’s network is supporting. We maintain knowledge of over 30k sets of related indicators today.
While we are announcing DNS threat actors as a category today, tracking them is nothing new for us. We have had DNS signatures in place since 2018 to monitor the evolution of certain actors’ infrastructure. Early algorithms detected newly registered domains used by the actors behind the Magnitude exploit kit and Hancitor malware, as well as specific DNS actors responsible for Slow Drip distributed denial of service (DDoS) attacks. Because we were able to predict the use of these domains, we confidently blocked their resolution at the DNS recursive resolver, protecting our customers before the actors could leverage them in their campaigns.
We have published on several DNS threat actors, none of which align directly with known malware actors, and all of which have persisted in their activities for over a year. While each of these actors have been confirmed to deliver malware, DNS threat actors play a number of different roles in the online crime economy and use a wide range of techniques to accomplish their goals.
- VexTrio is a persistent actor that leverages a dictionary domain generation algorithm (DDGA). We call them the “swiss army knife” of DNS actors because they are known to deliver multiple kinds of malware, scams, ads, and even spearphishing attacks. They have been around for more than three years and continually grow their network. VexTrio is known to hack vulnerable WordPress sites and has been observed in over 50% of all networks. You can read about them in our original report here and an update here.
- Omnatuor is similar to VexTrio, but does not use a DDGA to create domains. The domains will be categorized in web search results as greyware, nuisance-ware, or adware. But, just like VexTrio, it delivers malware to select targets. Omnatuor has over 14k associated domains and a reach similar to VexTrio. You can read our report on them here.
- WordyThief was a prolific spam actor that distributed Russian-developed Predator the Thief and Taurus Stealer malware.4 We published a paper on WordyThief at eCrimeX, an annual research conference sponsored by the Anti-Phishing Working Group (APWG). WordyThief was active for over a year, but is now dormant or has changed their tactics, techniques, and procedures (TTPs). You can read about them here.
- WhiteSawShark is a malicious spam actor discovered in 2020 and who is still active today. They deliver different types of information stealers that are widely available, but use a custom downloader. We reported on both the malicious spam infrastructure and the downloader they were using at the time in 2021. You can read that report here.
Soon we will begin sharing details of select other DNS threat actors. Their portfolios will demonstrate the breadth of DNS threat actor TTPs and highlight their ability to operate with impunity. It will also show how DNS provides a unique lens on the complex economy that fuels malicious actors, from scamming vulnerable populations of their paycheck to stealing state secrets. Individuals and enterprises both will likely be surprised by the amount of suspicious and malicious domain resolution queries made within their network that pass through other security products unnoticed. One of the common tactics used by DNS threat actors is the registration of large numbers of domain names that they created using a domain generation algorithm, a method we’re referring to as RDGA, or registered DGA. In our next blog, we’ll talk a little bit more about RDGAs and how they are used.