Author: James Barnett
This trailblazing report explores a burgeoning technique that threat actors are using to covertly transform the DNS threat landscape with millions of new domains. You’ll learn how traditional malware-based domain generation algorithms (DGAs) have evolved into registered DGAs (RDGAs) that can be used for malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), and more. We’ll unveil a new RDGA threat actor named Revolver Rabbit who’s associated with XLoader malware. We’ll also reveal how the notorious Hancitor malware used an RDGA to generate its C2 domains for years while most of the security industry remained oblivious to their methods. This blog discusses some of the highlights from our full research paper, which is available here.
For nearly two decades, threat actors have used domain generation algorithms (DGAs) to distribute malware. In recent years, threat actors have been employing a technique we call registered domain generation algorithms (RDGAs), in which the actor uses an algorithm to register many domain names at one time. RDGAs are considerably harder to detect and defend against than traditional DGAs, and despite their prevalence on the internet, they have been woefully underreported by the security community. We originally described RDGAs in October 2023 and have published on the topic multiple times since then.
What Exactly Are RDGAs?
RDGAs are a programmatic mechanism that allows threat actors to create many domain names at once, or over time, to register for use in their criminal infrastructure. These differ significantly from the traditional domain generation algorithms (DGAs) that have long been associated with malware. In an RDGA, the algorithm is a secret kept by the threat actor, and they register all the domain names. In a traditional DGA, the malware contains an algorithm that can be discovered and most of the domain names will not be registered.
|
| Figure 1. Illustration of the difference in domain registration behaviors of traditional DGAs and registered DGAs. |
While traditional DGAs are used exclusively for connection to a malware controller, RDGAs can be used for a wide range of purposes including malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), or essentially any activity that benefits from having large numbers of domain names. We’ll cover a couple interesting cases of RDGA usage for this blog, but there are far more examples in our full research paper.
Threat actors, criminal enterprises, and legitimate businesses all use RDGAs. Registrars like Namecheap even offer tools to generate variants of a chosen domain name, and these tools can be leveraged by anyone — legitimate customers or threat actors.
|
| Figure 2. Namecheap’s “Beast Mode” is a fully-featured graphical RDGA builder available to all customers |
Why Call It RDGA?
We coined this phrase and acronym because the term “DGA” has become broadly overused in the years since the concept was introduced, effectively serving as an umbrella term for any domain that is (or appears to be) algorithmically generated. In the same way that the concept of dictionary DGAs (DDGAs) was introduced to distinguish algorithms that generate domains using real words rather than random characters, we’re using the concept of RDGAs to distinguish algorithms that threat actors use to privately register large numbers of domains from algorithms embedded in publicly-available malware to make their C2 communications more difficult to disrupt.
What Do RDGAs Look Like?
Just like traditional DGAs, RDGAs come in all shapes and sizes. Some look like prototypical DGAs with seemingly random characters and a high degree of entropy, as Tables 1 and 2 show:
| 6rnd9mitqt1rz82[.]top 7r7suw52ls00i20[.]top 9w9ohb5vky5p3dz[.]top bjbntaxmh09r09e[.]top qcj4pirltkpqrcu[.]top |
| Table 1. Prototypical DGA used by a SocGholish/TA569 affiliate |
| h87e1mbm0u5f85[.]xyz n8j1nau3os4otr[.]xyz xnnxr1jquyupjc[.]xyz xqajkr8fbrdryp0[.]xyz xryqcgcb2upb28k[.]xyz |
| Table 2. RDGA for a weight loss pill scam |
Table 3 shows that other RDGAs use nonsensical combinations of dictionary words like a traditional DDGA:
| arriveplanetsnow[.]buzz coatthinkverb[.]buzz debtgenepub[.]live poemtrainsurprise[.]top quarterneighbourforward[.]xyz |
| Table 3. VexTrio Viper RDGA |
Some RDGAs use a limited set of dictionary words in a more structured format in order to fit a theme, like this set of domains in Table 4, whose names correspond to various regional jails:
| castrocountyjail[.]org killeencityjail[.]org lasalleparishjail[.]org miamidadecountyjail[.]org northcentralregionaljail[.]org |
| Table 4. RDGA with a regional jail theme |
Still other RDGAs generate variations of a single domain name by inserting, shifting, or deleting characters from the base domain name (see Table 5). More often than not, the character changes in these variant domain names follow some sort of structure so that the generated domains are still somewhat intelligible and similar to the base domain, like the following set of RDGA domains for a Russian diploma mill:
| arenadiploma[.]com area-diploman24[.]com area-diplomans24[.]com area-diploms24[.]com area-diplomy24[.]com areas-diplom[.]com areas-diplom24[.]com areas-diplomy24[.]com arena-diplomsy24[.]com arena-diplomy24[.]com |
| Table 5. RDGA for a Russian diploma mill |
Clearly, RDGAs come in a variety of forms and their domains may not be immediately recognizable when viewed in isolation. This is why researching and identifying RDGAs requires access to large-scale DNS data and enough DNS expertise to properly analyze it.
Hancitor: Using RDGAs Before It Was Cool
If you’re reading this blog, there’s a good chance you’ve heard of Hancitor malware. Although it hasn’t been active recently, it was an incredibly popular malware loader with prolific malspam campaigns that regularly delivered booby-trapped documents to unsuspecting victims for the better part of a decade. What most people don’t realize about Hancitor is that they were using an RDGA to generate all of their C2 domains, which meant they could be detected in DNS and blocked before their campaigns even became active.
Looking at the C2 domains embedded in a single sample of Hancitor (Table 6), the pattern isn’t obvious.
| chopprousite[.]ru patiennerrhe[.]com thougolograrly[.]ru |
| Table 6. Hancitor C2 domains from one sample |
The C2s are nonsensical and look like DGA domains, but they don’t contain numbers or lots of high-entropy strings like a randomized traditional DGA. Some of them appear to contain English words like a DDGA, but they’re not exclusively made of intelligible words like a standard DDGA. While all of these observations are true, and they may even help identify Hancitor domains during manual threat hunting, they aren’t enough to fully characterize the algorithm and build an automated detector for it.
If we look at a larger list of Hancitor C2 domains taken from multiple samples, however, the underlying patterns of its RDGA become more apparent (Table 7):
| dintretonid[.]com dintretrewor[.]com dintrolletone[.]com dintromparsup[.]com direnrolpar[.]ru hadhecrecled[.]com hadrecrolof[.]ru hadsparmirat[.]com hanparolhar[.]com rofromandfor[.]ru rowrorofrat[.]com |
| Table 7. Selected Hancitor C2 domains taken from various samples |
From this set of domains we can see that Hancitor’s RDGA has a tendency to repeat specific sequences of characters, such as “di” and “ha.” We could infer that the reason its domains appear random while having fairly low entropy is that the character sequences it uses are common in English words.
Infoblox recognized these peculiarities of the Hancitor RDGA in 2018 and created a statistical model to identify domains that follow Hancitor’s RDGA pattern. By combining this with our knowledge of Hancitor’s registration patterns and DNS signatures, we created a predictive analytic to identify and block Hancitor C2 domains before they were used in active campaigns.
Meet Revolver Rabbit
One of the most prolific unclassified RDGA actors we’ve found, which we’ve named Revolver Rabbit, has registered over 500k domains on the .bond TLD alone. Their RDGA pattern is unique but also highly variable, which makes some of their domains difficult to identify without additional DNS context.
The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash (see Table 8). When multiple dictionary words are used, they usually form coherent phrases rather than appearing completely random.
| assisted-living-11607[.]bond online-jobs-42681[.]bond perfumes-76753[.]bond security-surveillance-cameras-42345[.]bond yoga-classes-35904[.]bond |
| Table 8. Examples of most common RDGA pattern for Revolver Rabbit |
Sometimes the actor uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words (see Tables 9A and 9B). They tend to use these elements as prefixes or suffixes, and the domains that use them generally omit the standard five-digit numerical suffix regardless of whether the element is being used as a prefix or suffix.
| ai-courses-12139[.]bond ai-courses-13069[.]bond ai-courses-14729[.]bond ai-courses-16651[.]bond ai-courses-17621[.]bond app-software-development-training-52686[.]bond app-software-development-training-54449[.]bond app-software-development-training-55554[.]bond app-software-development-training-57549[.]bond |
ai-courses-2024-pe[.]bond ai-courses-2024-pk[.]bond ai-courses-2024sa[.]bond ai-courses2023-in[.]bond ai-courses2023in[.]bond ai-courses2024in[.]bond app-software-development-italy[.]bond app-software-development-training-usa[.]bond |
| Table 9A. Domains using the basic pattern | Table 9B. Domains using country codes, country names, and year numbers |
Tables 10A and 10B show how the actor occasionally replaces their standard five-digit suffix with one or two digits followed by a single character.
| online-degrees-16099[.]bond portable-air-conditioner-12322[.]bond river-cruises-13890[.]bond roofing-services-10175[.]bond travel-insurance-43494[.]bond |
usa-online-degree-29o[.]bond bra-portable-air-conditioner-9o[.]bond uk-river-cruises-8n[.]bond rsa-roofing-services-8n[.]bond col-travel-insurance-3n[.]bond |
| Table 10A. Domains using the basic pattern | Table 10B. Domains using 1-2 digits and a single letter |
Tables 11A and 11B show that in some cases the actor uses two dashes in a row rather than the single dash they normally use.
| welding-machines-10120[.]bond welding-machines-35450[.]bond welding-machines-56397[.]bond welding-machines-76813[.]bond welding-machines-99146[.]bond |
welding-machines−−11015[.]bond welding-machines−−31109[.]bond welding-machines−−56717[.]bond welding-machines−−75378[.]bond welding-machines−−97422[.]bond |
Table 11A. Domains using the basic pattern | Table 11B. Domains using two dashes instead of one |
The amount of variation in this actor’s RDGA highlights the need for advanced DNS expertise and visibility when implementing automated RDGA detection. While many of their domains follow a basic pattern that could be detected with regular expressions or other string-based matching, they also have a number of domains that use different patterns. The similarities between this actor’s patterns may be obvious to a human observer, but for an automated detector to accurately group these somewhat disparate domains together, additional DNS context is required.
We initially planned to publish Revolver Rabbit as an example of an interesting but unclassified RDGA actor, but during our research we found their domains being used as both active C2s and decoy domains in XLoader (a.k.a. Formbook) malware samples.1, 2 This discovery further underscores the importance of RDGA detection and analysis, as without it actors like Revolver Rabbit can operate undetected despite their massive network footprints.
Unknown RDGAs Are on the Rise
For every RDGA like VexTrio Viper that we’ve extensively researched and published on, we’ve detected thousands of other RDGAs whose purposes remain largely unknown. Given the wide array of malicious activity we’ve observed from the RDGAs we know, the sheer quantity of unknown RDGAs is a matter of significant interest and concern. The patterns and DNS signatures that tie RDGA domains together can only be identified by large-scale analysis, so unknown RDGA domains are able to function largely unimpeded on networks that aren’t protected by advanced DNS analytics like ours.
In the six-month period from October 17, 2023 to April 17, 2024, our RDGA detectors identified over 2M unique RDGA domains, or an average of over 11k new RDGA domains per day (see Figure 3).
|
| Figure 3. Daily RDGA domain detection counts from October 17, 2023 to April 17, 2024 |
Our detectors initially clustered these domains into roughly 117k unique actor groups, which we later reduced to roughly 52k actor groups using a combination of automated refinements and manual analysis (see Figure 4).
|
| Figure 4. Daily RDGA actor cluster counts from October 17, 2023 to April 17, 2024 |
The key takeaway from these statistics is that there are so many RDGA domains being registered that the security industry will never be able to research them all. It can take months for human researchers to understand a threat to the point that they can publish on it, but it only takes a day for RDGA actors to register tens of thousands of new domains for researchers to investigate. This is why automated detection is the only viable defense against RDGA threats.
Learn more about RDGAs in our full research report here.
Conclusion
RDGA domains are associated with a panoply of dubious activities that most organizations don’t want on their networks. But despite being used to register millions of new domains, RDGAs have gone almost entirely unrecognized by the security industry. This lack of reporting is likely due to the fact that RDGA detection requires both significant DNS expertise and access to large volumes of DNS data. Organizations should be aware of the threat that RDGAs pose to their networks, and should implement security solutions that include automated RDGA detection.
Indicators of Activity
Below is a sample of indicators used by the RDGA threat actors we mentioned in this blog. Indicators are also available in our GitHub repository here.
| Indicator | Type of Indicator |
|---|---|
| 6rnd9mitqt1rz82[.]top 7r7suw52ls00i20[.]top 9w9ohb5vky5p3dz[.]top bjbntaxmh09r09e[.]top qcj4pirltkpqrcu[.]top |
SocGholish/TA569 affiliate traditional DGA domains |
| h87e1mbm0u5f85[.]xyz n8j1nau3os4otr[.]xyz xnnxr1jquyupjc[.]xyz xqajkr8fbrdryp0[.]xyz xryqcgcb2upb28k[.]xyz |
Weight loss pill scam RDGA domains |
| arriveplanetsnow[.]buzz coatthinkverb[.]buzz debtgenepub[.]live poemtrainsurprise[.]top quarterneighbourforward[.]xyz |
VexTrio Viper RDGA domains |
| castrocountyjail[.]org killeencityjail[.]org lasalleparishjail[.]org miamidadecountyjail[.]org northcentralregionaljail[.]org |
Regional jail RDGA domains |
| arenadiploma[.]com area-diploman24[.]com area-diplomans24[.]com area-diploms24[.]com area-diplomy24[.]com areas-diplom[.]com areas-diplom24[.]com areas-diplomy24[.]com arena-diplomsy24[.]com arena-diplomy24[.]com |
Russian diploma scam RDGA domains |
| chopprousite[.]ru patiennerrhe[.]com thougolograrly[.]ru dintretonid[.]com dintretrewor[.]com dintrolletone[.]com dintromparsup[.]com direnrolpar[.]ru hadhecrecled[.]com hadrecrolof[.]ru hadsparmirat[.]com hanparolhar[.]com rofromandfor[.]ru rowrorofrat[.]com |
Hancitor C2 RDGA domains |
| assisted-living-11607[.]bond online-jobs-42681[.]bond perfumes-76753[.]bond security-surveillance-cameras-42345[.]bond yoga-classes-35904[.]bond ai-courses-12139[.]bond ai-courses-13069[.]bond ai-courses-14729[.]bond ai-courses-16651[.]bond ai-courses-17621[.]bond app-software-development-training-52686[.]bond app-software-development-training-54449[.]bond app-software-development-training-55554[.]bond app-software-development-training-57549[.]bond ai-courses-2024-pe[.]bond ai-courses-2024-pk[.]bond ai-courses-2024sa[.]bond ai-courses2023-in[.]bond ai-courses2023in[.]bond ai-courses2024in[.]bond app-software-development-italy[.]bond app-software-development-training-usa[.]bond online-degrees-16099[.]bond portable-air-conditioner-12322[.]bond river-cruises-13890[.]bond roofing-services-10175[.]bond travel-insurance-43494[.]bond usa-online-degree-29o[.]bond bra-portable-air-conditioner-9o[.]bond uk-river-cruises-8n[.]bond rsa-roofing-services-8n[.]bond col-travel-insurance-3n[.]bond welding-machines-10120[.]bond welding-machines-35450[.]bond welding-machines-56397[.]bond welding-machines-76813[.]bond welding-machines-99146[.]bond welding-machines−−11015[.]bond welding-machines−−31109[.]bond welding-machines−−56717[.]bond welding-machines−−75378[.]bond welding-machines−−97422[.]bond |
Revolver Rabbit RDGA domains |
| tires-book-robust[.]bond laser-skin-treatment-19799[.]bond pool-repair-35063[.]bond apartments-for-rent-72254[.]bond hemophilia-treatment-41433[.]bond |
Revolver Rabbit RDGA domains used as C2 / decoy domains for XLoader malware |
Footnotes
- https://www.joesandbox.com/analysis/1466892/0/html
- https://www.virustotal.com/gui/file/7738ec817c97182e16e409767c55c87460d83d37b0442eb337bc2507763d4486/relations
