To host command and control (C2) servers, distribute malware, or perform other malicious activities, hackers need a domain name. They can automate the process of obtaining domain names with a Domain Generation Algorithm (DGA). However, to actually use these domains, they must also register them with a domain registrar.
To do this, a group of hackers started using Registered Domain Generation Algorithms (RDGAs), which unfortunately seems to be working.
Cybersecurity researchers at Infoblox Threat Intel reported that a cybercriminal named Revolver Rabbit registered over 500,000 domains this way. They had to invest at least a million dollars to do this, which is a considerable amount of money.
A profitable business
The hacker used the RDGA to create command and control (C2) and decoy domains for the infostealing malware XLoader.
XLoader is a versatile and powerful piece of malware that has multiple functions, including data theft, credential theft, and functioning as a remote access Trojan (RAT). It is an evolution of the infamous FormBook malware, which was also known for its information stealing capabilities. XLoader has been used in various cybercriminal campaigns, often targeting both Windows and macOS platforms.
“It must be a profitable malware for Revolver Rabbit, given their investment in domain names,” the researchers said. “Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.”
Infoblox’s report concluded that RDGAs are a “formidable and underestimated” threat. By using the new technique, threat actors can easily scale their spam, malware, and scam operations, mostly flying under the radar of the cybersecurity industry. In fact, Infoblox regularly discovers “tens of thousands of new domains,” which are then captured in clusters of actor-controlled assets.
Most of these domains, the researchers claim, go unnoticed by the security industry. Revolver Rabbit’s activity lasted for almost a year and was not flagged as malicious.
