Author: Darby Wise
Following our publication introducing the concept of DNS threat actors, we will be taking a closer look at a few types of actors we have been researching and how they are using DNS to orchestrate complex campaigns. These threat actors are increasingly leveraging domain generation algorithms to create, register, and then actively use a large set of domains over time; a method that uses what we call a registered domain generation algorithm, or RDGA. Similar to a traditional DGA, RDGAs generate large numbers of domains used by threat actors for command and control (C2) operations in campaigns and other malicious activities. However, RDGAs involve several updates to the standard tactics, techniques, and procedures (TTPs) of DGAs that can enhance an actor’s capabilities.
Since 2015, Infoblox has provided DNS detection and response of domain generation algorithms (DGAs): a common tool employed by DNS threat actors to distribute malware, adware, phishing campaigns, and other illegal content. We have developed our own dedicated algorithms for detecting this specific type of behavior. Not only do our algorithms allow us to proactively block these domains and protect our customers, they enable us to engage in long-term tracking of large-scale DGA networks. From this, we have observed a significant change in behavior regarding the way some actors have been using DGAs: a shift toward registered DGAs.
DGA vs. RDGA: What’s New?
Before diving into RDGAs, it’s important to understand how a traditional DGA works. DGAs are algorithms that typically reside within the malware distributed by threat actors. These algorithms are programmed to generate any number of pseudorandom domain names, and the malware cycles through them to find one that enables it to communicate with the attacker’s C2. This allows for the attacker to evade detection and blocking mechanisms by offering alternative domains that can quickly replace any that may be deemed malicious or blocklisted. Before the invention of DGAs, IP addresses or domain names were hardcoded into the malware and were quickly thwarted once the malware was discovered.
The main difference between this traditional use of a DGA and an RDGA is right there in the name: they’re registered. With a standard DGA, the algorithm is incorporated in the malware itself and only a small percentage of the domains created by the algorithm are actually registered. This means that most of the DNS queries made by the infected device will result in an NXDOMAIN (non-existent domain) error message as a response.
The report on Bumblebee Loader published by Intel4711 offers a recent example of a threat actor using a traditional DGA. After having gone on a short hiatus, the actors behind Bumblebee updated the malware’s capabilities to, among other things, use a DGA for C2 communications. Previously relying on a hardcoded list of C2 domains, this malware now iterates through a list of 100 domains generated by the algorithm until it receives a successful response, indicating only some of the domains were registered. We have provided some of these domains below in Table 1.
|Table 1. A sample of domains from a DNS threat actor using a traditional DGA to deliver Bumblebee malware|
An RDGA, on the other hand, is used by the actor2 to create domains that will all be registered. We have observed different types of behavior following registration, where threat actors will either use the domains in campaigns right away, or they will strategically age them over a period of time in an attempt to build credibility.
With one of our algorithms for detecting RDGAs, we observed a DNS threat actor using this strategy of aging registered domains to deliver different types of malware, including one security vendors detected as Sparkle, a variety of malware associated with a Chinese advanced persistent threat (APT) actor. The actor aged these domains for about three months before using them as part of a campaign in June 2023. A sample of these domains can be found in the table below, along with other examples of RDGA domains from various DNS threat actors.
|Domains used by Chinese APT actor delivering Sparkle payload|
|Domains generated to impersonate Steam’s Community website (steamcommunity[.]com)|
|Domains from an RDGA cluster that use layers of redirection to obfuscate malware delivery|
|Registered domains generated by a dictionary DGA (DDGA) associated with VexTrio|
|Table 2. A sample of domains from multiple DNS threat actors using RDGAs|
Because the domains created by an RDGA will result in far fewer NXDOMAIN responses, it can be more difficult for the security community to detect and block them, thus enabling the threat actor to create a more sophisticated attack while flying under the radar. Traditional DGAs, like the one recently added to Bumblebee, are often captured by the security community because reverse engineers are able to recreate the underlying algorithm; in an RDGA, the algorithm remains private to the DNS threat actor. We have updated our algorithms to track this kind of behavior along with traditional DGAs to ensure our customers are protected.
An RDGA is just one of many tools used by DNS threat actors as they conduct their nefarious operations. While we still observe some traditional DGAs, they are not as common as they were 5-7 years ago. We have seen a continual increase in the use of RDGAs over the past few years with some DNS threat actors maintaining over 80k domains at a time. Every day, we add thousands of new RDGA domains to our block lists from known DNS threat actors and others emerging into view. RDGAs are indeed the new face of DGAs. In the coming months, we will release publications on more of these actors, diving deep into the differences between them, as well as highlighting common trends and the TTPs we’re observing.