Connect with us

Cyber Security

RDGAs Exposed: Infoblox Uncovers Million-Dollar Domain Fraud

Published

on

Infoblox Threat Intel released a threat landscape study of the use of registered domain generation algorithms (RDGAs) by malicious actors today. An RDGA differs from the traditional malware domain generation algorithm (DGA) in that all the domains are registered. Infoblox was the first to describe the technique back in October of 2023. RDGAs allow actors to scale their operations quickly and avoid detection. Since introducing the terminology, Infoblox has published research showing how RDGAs were used in malware, malicious link shorteners (Prolific Puma), and in traffic distribution systems (VexTrio Viper/Savvy Seahorse).

Infoblox Threat Intel has developed multiple algorithms to discover and track RDGAs in the wild, including patent-pending detection of emerging clusters of RDGA domains. With these detectors, Infoblox discovers tens of thousands of new domains every day, capturing them into clusters of actor-controlled assets. Most of these domains surprisingly go unnoticed by the security industry. In the new study of the RDGA threat landscape, Infoblox has found that the use of RDGAs has grown over the past few years and shows how domains created with them are used, including numerous examples from scams to malware.

The most remarkable example included is an RDGA controlled by the actor Infoblox named Revolver Rabbit. This actor has registered over 500,000 domains costing them over $1 million in registration fees. At the same time, discovering the purpose of these domains was a challenge. Infoblox Threat Intel has been tracking Revolver Rabbit for nearly a year but was stumped for months on the threat actor’s motivation.

How can so many domains be registered without a trace of malicious activity? Recently Infoblox solved the puzzle: Revolver Rabbit uses the RDGA to create command and control (C2) and decoy domains for XLoader (aka Formbook) malware. This malware is an information stealer typically delivered via phishing emails. It must be a profitable malware for Revolver Rabbit given their investment in domain names. Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.

The landscape study shows that RDGAs are a formidable and underestimated threat. Actors can easily scale their spam, malware, and scam operations often without fear of detection by the security industry. Moreover, automation in the domain registration services makes it easy for cybercriminals to use an RDGA. The study intends to raise awareness and shed light on the growing trend in malicious domain registrations.

Cyber Security

Cybersecurity has Gained Significant Traction in the Region

Published

on

Fernando Cea, the VP of Technology for New Markets at Globant, says 45% of business leaders prioritise cyber risk management in the region, surpassing the global average of 43% (more…)

Continue Reading

Cyber Security

A Reliable Data Backup Strategy is Very Important

Published

on

Sertan Selcuk, the Vice President of METAP and CIS Regions at OPSWAT says hackers are now targeting third-party vendors—companies that have access to critical infrastructure but often have less robust security measures (more…)

Continue Reading

Cyber Security

Cloud and IoT Vulnerabilities Expose Smart Cities and Industrial Systems to Cyber Risks

Published

on

Ezzeldin Husein, the Regional Senior Director for Solution Engineering – META at SentinelOne says cyberattacks on MEA’s critical infrastructure are becoming more sophisticated, with nation-state actors, ransomware gangs, and hacktivists targeting energy, finance, and transportation sectors (more…)

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.