{"id":10346,"date":"2024-07-17T09:53:39","date_gmt":"2024-07-17T16:53:39","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=10346"},"modified":"2024-12-20T06:08:44","modified_gmt":"2024-12-20T14:08:44","slug":"rdgas-the-next-chapter-in-domain-generation-algorithms","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-next-chapter-in-domain-generation-algorithms\/","title":{"rendered":"RDGAs: The Next Chapter in Domain Generation Algorithms"},"content":{"rendered":"

Author: James Barnett<\/strong><\/h3>\n

 <\/p>\n

This trailblazing report explores the burgeoning use of a technique that threat and infrastructure actors are using to covertly transform the DNS landscape with millions of new domains. You\u2019ll learn how traditional malware-based domain generation algorithms (DGAs) have evolved into registered DGAs (RDGAs) that can be used for malware, phishing, spam, scams, gambling, traffic distribution systems (TDSs), virtual private networks (VPNs), and advertising. We\u2019ll unveil a new RDGA infrastructure actor named Revolver Rabbit, who runs the largest network of registered DGA domains that we have detected. We\u2019ll also reveal how the notorious Hancitor malware used an RDGA to generate its C2 domains for years while most of the security industry remained oblivious to their methods.<\/p>\n

For nearly two decades, threat actors have used domain generation algorithms (DGAs) to distribute malware. In recent years, various kinds of DNS actors have been employing a technique we call registered domain generation algorithms (RDGAs), in which the actor uses an algorithm to register many domain names at one time. RDGA threats are considerably harder to detect and defend against than traditional DGAs, and despite their prevalence on the internet, they have been woefully underreported by the security community. We originally described RDGAs in October 2023 and have published on the topic multiple times since then.<\/p>\n

What Exactly Are RDGAs?<\/h3>\n

RDGAs are a programmatic mechanism that allows DNS actors to create many domain names at once, over time, to register for use in their infrastructure. These differ significantly from the traditional domain generation algorithms (DGAs) that have long been associated with malware. In an RDGA, the algorithm is a secret kept by the actor, and they register all the domain names. In a traditional DGA, the malware contains an algorithm that can be discovered and most of the domain names will not be registered.<\/p>\n\n\n\n\n
\n\"Figure\n <\/td>\n<\/tr>\n
Figure 1. Illustration of the difference in domain registration behaviors of traditional DGAs and registered DGAs.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

While traditional DGAs are used exclusively for connection to a malware controller, RDGAs can be used for a wider range of purposes \u2013 essentially any activity that benefits from having large numbers of domain names. This can include malicious purposes such as malware, phishing, spam, gambling, and scams. Unfortunately, we often see threat actors use traffic distribution systems (TDSs) and virtual private networks (VPNs) for their nefarious activity, making it more challenging for security practitioners to discern the intent of the infrastructure. We\u2019ll cover a couple of interesting cases of RDGA usage in this blog, but there are far more examples in our full research paper.<\/p>\n

Threat actors, criminal enterprises, and legitimate businesses all use RDGAs.<\/strong> Registrars like Namecheap even offer tools to generate variants of a chosen domain name, and these tools can be leveraged by anyone \u2014 legitimate customers or threat actors. <\/p>\n\n\n\n\n
\n\"\"\n <\/td>\n<\/tr>\n
Figure 2. Namecheap\u2019s \u201cBeast Mode\u201d is a fully-featured graphical RDGA builder available to all customers<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Why Call It RDGA?<\/h3>\n

We coined this phrase and acronym because the term \u201cDGA\u201d has become broadly overused<\/strong> in the years since the concept was introduced, effectively serving as an umbrella term for any domain that is (or appears to be) algorithmically generated. In the same way that the concept of dictionary DGAs (DDGAs) was introduced to distinguish algorithms that generate domains using real words rather than random characters, we\u2019re using the concept of RDGAs to distinguish algorithms that threat actors use to privately register large numbers of domains from algorithms embedded in publicly-available malware<\/strong> to make their C2 communications more difficult to disrupt. <\/p>\n

What Do RDGAs Look Like?<\/h3>\n

Just like traditional DGAs, RDGAs come in all shapes and sizes.<\/strong> Some look like prototypical DGAs with seemingly random characters and a high degree of entropy, as Tables 1 and 2<\/strong> show: <\/p>\n\n\n\n\n
6rnd9mitqt1rz82[.]top
\n7r7suw52ls00i20[.]top
\n9w9ohb5vky5p3dz[.]top
\nbjbntaxmh09r09e[.]top
\nqcj4pirltkpqrcu[.]top\n<\/td>\n<\/tr>\n
Table 1. Prototypical DGA used by a SocGholish\/TA569 affiliate <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n
h87e1mbm0u5f85[.]xyz
\nn8j1nau3os4otr[.]xyz
\nxnnxr1jquyupjc[.]xyz
\nxqajkr8fbrdryp0[.]xyz
\nxryqcgcb2upb28k[.]xyz\n<\/td>\n<\/tr>\n
Table 2. RDGA for a weight loss pill scam <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 3<\/strong> shows that other RDGAs use nonsensical combinations of dictionary words like a traditional DDGA: <\/p>\n\n\n\n\n
arriveplanetsnow[.]buzz
\ncoatthinkverb[.]buzz
\ndebtgenepub[.]live
\npoemtrainsurprise[.]top
\nquarterneighbourforward[.]xyz\n<\/td>\n<\/tr>\n
Table 3. VexTrio Viper RDGA <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Some RDGAs use a limited set of dictionary words in a more structured format in order to fit a theme, like this set of domains in Table 4<\/strong>, whose names correspond to various regional jails: <\/p>\n\n\n\n\n
castrocountyjail[.]org
\nkilleencityjail[.]org
\nlasalleparishjail[.]org
\nmiamidadecountyjail[.]org
\nnorthcentralregionaljail[.]org\n<\/td>\n<\/tr>\n
Table 4. RDGA with a regional jail theme<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Still other RDGAs generate variations of a single domain name by inserting, shifting, or deleting characters from the base domain name (see Table 5<\/strong>). More often than not, the character changes in these variant domain names follow some sort of structure so that the generated domains are still somewhat intelligible and similar to the base domain, like the following set of RDGA domains for a Russian diploma mill: <\/p>\n\n\n\n\n
arenadiploma[.]com
\narea-diploman24[.]com
\narea-diplomans24[.]com
\narea-diploms24[.]com
\narea-diplomy24[.]com
\nareas-diplom[.]com
\nareas-diplom24[.]com
\nareas-diplomy24[.]com
\narena-diplomsy24[.]com
\narena-diplomy24[.]com\n<\/td>\n<\/tr>\n
Table 5. RDGA for a Russian diploma mill <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Clearly, RDGAs come in a variety of forms and their domains may not be immediately recognizable when viewed in isolation. This is why researching and identifying RDGAs requires access to large-scale DNS data and enough DNS expertise to properly analyze it. <\/strong><\/p>\n

Hancitor: Using RDGAs Before It Was Cool<\/h3>\n

If you’re reading this blog, there’s a good chance you’ve heard of Hancitor malware.<\/strong> Although it hasn’t been active recently, it was an incredibly popular malware loader with prolific malspam campaigns that regularly delivered booby-trapped documents to unsuspecting victims for the better part of a decade. What most people don’t realize about Hancitor is that they were using an RDGA to generate all of their C2 domains,<\/strong> which meant they could be detected in DNS and blocked before their campaigns even became active. <\/p>\n

Looking at the C2 domains embedded in a single sample of Hancitor (Table 6<\/strong>), the pattern isn’t obvious. <\/p>\n\n\n\n\n
chopprousite[.]ru
\npatiennerrhe[.]com
\nthougolograrly[.]ru\n<\/td>\n<\/tr>\n
Table 6. Hancitor C2 domains from one sample<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The C2s are nonsensical and look like DGA domains, but they don’t contain numbers or lots of high-entropy strings like a randomized traditional DGA. Some of them appear to contain English words like a DDGA, but they’re not exclusively made of intelligible words like a standard DDGA. While all of these observations are true, and they may even help identify Hancitor domains during manual threat hunting, they aren’t enough to fully characterize the algorithm and build an automated detector for it. <\/p>\n

If we look at a larger list of Hancitor C2 domains taken from multiple samples, however, the underlying patterns of its RDGA become more apparent (Table 7<\/strong>): <\/p>\n\n\n\n\n
dintretonid[.]com
\ndintretrewor[.]com
\ndintrolletone[.]com
\ndintromparsup[.]com
\ndirenrolpar[.]ru
\nhadhecrecled[.]com
\nhadrecrolof[.]ru
\nhadsparmirat[.]com
\nhanparolhar[.]com
\nrofromandfor[.]ru
\nrowrorofrat[.]com\n<\/td>\n<\/tr>\n
Table 7. Selected Hancitor C2 domains taken from various samples<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

From this set of domains we can see that Hancitor\u2019s RDGA has a tendency to repeat specific sequences of characters,<\/strong> such as \u201cdi\u201d and \u201cha.\u201d We could infer that the reason its domains appear random while having fairly low entropy is that the character sequences it uses are common in English words.<\/strong> <\/p>\n

Infoblox recognized these peculiarities of the Hancitor RDGA in 2018<\/strong> and created a statistical model to identify domains that follow Hancitor\u2019s RDGA pattern. By combining this with our knowledge of Hancitor’s registration patterns and DNS signatures, we created a predictive analytic to identify and block Hancitor C2 domains before they were used in active campaigns. <\/p>\n

Meet Revolver Rabbit<\/h3>\n

One of the most prolific RDGA actors we\u2019ve found, which we\u2019ve named Revolver Rabbit, has registered over 500k domains on the .bond TLD alone. <\/strong>Their RDGA pattern is unique but also highly variable, which makes some of their domains difficult to identify without additional DNS context. <\/p>\n

The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash (see Table 8<\/strong>). When multiple dictionary words are used, they usually form coherent phrases rather than appearing completely random. <\/p>\n\n\n\n\n
assisted-living-11607[.]bond
\nonline-jobs-42681[.]bond
\nperfumes-76753[.]bond
\nsecurity-surveillance-cameras-42345[.]bond
\nyoga-classes-35904[.]bond\n<\/td>\n<\/tr>\n
Table 8. Examples of most common RDGA pattern for Revolver Rabbit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Sometimes the actor uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words (see Tables 9A and 9B<\/strong>). They tend to use these elements as prefixes or suffixes, and the domains that use them generally omit the standard five-digit numerical suffix regardless of whether the element is being used as a prefix or suffix.<\/p>\n\n\n\n\n
ai-courses-12139[.]bond
\nai-courses-13069[.]bond
\nai-courses-14729[.]bond
\nai-courses-16651[.]bond
\nai-courses-17621[.]bond
\napp-software-development-training-52686[.]bond
\napp-software-development-training-54449[.]bond
\napp-software-development-training-55554[.]bond
\napp-software-development-training-57549[.]bond<\/td>\n		ai-courses-2024-pe[.]bond
\nai-courses-2024-pk[.]bond
\nai-courses-2024sa[.]bond
\nai-courses2023-in[.]bond
\nai-courses2023in[.]bond
\nai-courses2024in[.]bond
\napp-software-development-italy[.]bond
\napp-software-development-training-usa[.]bond<\/td>\n<\/tr>\n
Table 9A. Domains using the basic pattern<\/td>\nTable 9B. Domains using country codes, country names, and year numbers <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Tables 10A and 10B<\/strong> show how the actor occasionally replaces their standard five-digit suffix with one or two digits followed by a single character.<\/p>\n\n\n\n\n
online-degrees-16099[.]bond
\nportable-air-conditioner-12322[.]bond
\nriver-cruises-13890[.]bond
\nroofing-services-10175[.]bond
\ntravel-insurance-43494[.]bond<\/td>\n		usa-online-degree-29o[.]bond
\nbra-portable-air-conditioner-9o[.]bond
\nuk-river-cruises-8n[.]bond
\nrsa-roofing-services-8n[.]bond
\ncol-travel-insurance-3n[.]bond<\/td>\n<\/tr>\n
Table 10A. Domains using the basic pattern<\/td>\nTable 10B. Domains using 1-2 digits and a single letter<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Tables 11A and 11B<\/strong> show that in some cases the actor uses two dashes in a row rather than the single dash they normally use. <\/p>\n\n\n\n
welding-machines-10120[.]bond
\nwelding-machines-35450[.]bond
\nwelding-machines-56397[.]bond
\nwelding-machines-76813[.]bond
\nwelding-machines-99146[.]bond<\/td>\n		welding-machines−−11015[.]bond
\n welding-machines−−31109[.]bond
\n welding-machines−−56717[.]bond
\n welding-machines−−75378[.]bond
\n welding-machines−−97422[.]bond<\/td>\n<\/tr>\n		Table 11A. Domains using the basic pattern<\/td>\nTable 11B. Domains using two dashes instead of one<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The amount of variation in this actor\u2019s RDGA highlights the need for advanced DNS expertise and visibility when implementing automated RDGA detection. While many of their domains follow a basic pattern that could be detected with regular expressions or other string-based matching, they also have a number of domains that use different patterns. The similarities between this actor’s patterns may be obvious to a human observer, but for an automated detector to accurately group these somewhat disparate domains together, additional DNS context is required.<\/p>\n

We were originally going to publish Revolver Rabbit as an unknown, very active RDGA actor, but found over forty XLoader samples1, 2<\/sup> containing the domains shortly before our original publication. According to reputable malware sandbox sources, those samples used Revolver Rabbit domains both as decoy domains and live C2s. Following the release of our research, we were able to verify the identity of Revolver Rabbit as an advertising network. We have learnt from them that when a domain is no longer needed for the advertising campaign, it is dropped. Neither we nor they can confirm whether the domains observed in the malware samples were subsequently used by bad actors. We were able to confirm that in multiple samples, the domain listed as a C2 was no longer actively used in the advertising network at the time of analysis.<\/p>\n

Unknown RDGAs Are on the Rise<\/h3>\n

For every RDGA like VexTrio Viper<\/a> that we’ve extensively researched and published on, we’ve detected thousands of other RDGAs whose purposes remain largely unknown. Given the wide array of malicious activity we’ve observed from the RDGAs we know, the sheer quantity of unknown RDGAs is a matter of significant interest and concern. The patterns and DNS signatures that tie RDGA domains together can only be identified by large-scale analysis, so unknown RDGA domains are able to function largely unimpeded on networks that aren’t protected by advanced DNS analytics like ours. <\/p>\n

In the six-month period from October 17, 2023 to April 17, 2024, our RDGA detectors identified over 2M unique RDGA domains, or an average of over 11k new RDGA domains per day (see Figure 3<\/strong>). <\/p>\n\n\n\n\n
\n\"\"\n<\/td>\n<\/tr>\n
Figure 3. Daily RDGA domain detection counts from October 17, 2023 to April 17, 2024 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Our detectors initially clustered these domains into roughly 117k unique actor groups, which we later reduced to roughly 52k actor groups using a combination of automated refinements and manual analysis (see Figure 4<\/strong>). <\/p>\n\n\n\n\n
\n\"\"\n<\/td>\n<\/tr>\n
Figure 4. Daily RDGA actor cluster counts from October 17, 2023 to April 17, 2024 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The key takeaway from these statistics is that there are so many RDGA domains being registered that the security industry will never be able to research them all.<\/strong> It can take months for human researchers to understand a threat to the point that they can publish on it, but it only takes a day for RDGA actors to register tens of thousands of new domains for researchers to investigate.<\/strong> This is why automated detection is the only viable defense against RDGA threats.<\/strong> <\/p>\n

Learn more about RDGAs in our full research report here<\/a>.<\/p>\n

Conclusion<\/h3>\n

RDGA domains are associated with a panoply of dubious activities that most organizations don’t want on their networks.<\/strong> But despite being used to register millions of new domains, RDGAs have gone almost entirely unrecognized by the security industry. This lack of reporting is likely due to the fact that RDGA detection requires both significant DNS expertise and access to large volumes of DNS data. Organizations should be aware of the threat that RDGAs pose to their networks, and should implement security solutions that include automated RDGA detection. <\/strong><\/p>\n

Indicators of Activity<\/h3>\n

Below is a sample of indicators used by the RDGA threat actors we mentioned in this blog. Indicators are also available in our GitHub repository\u202fhere<\/a>.<\/p>\n\n\n\n\n\n\n\n\n\n\n
Indicator<\/th>\nType of Indicator <\/th>\n<\/tr>\n<\/thead>\n
6rnd9mitqt1rz82[.]top
\n 7r7suw52ls00i20[.]top 9w9ohb5vky5p3dz[.]top
\n bjbntaxmh09r09e[.]top
\n qcj4pirltkpqrcu[.]top<\/td>\n		SocGholish\/TA569 affiliate traditional DGA domains<\/td>\n<\/tr>\n
h87e1mbm0u5f85[.]xyz
\n n8j1nau3os4otr[.]xyz
\n xnnxr1jquyupjc[.]xyz
\n xqajkr8fbrdryp0[.]xyz
\n xryqcgcb2upb28k[.]xyz <\/td>\n		Weight loss pill scam RDGA domains <\/td>\n<\/tr>\n
arriveplanetsnow[.]buzz
\n coatthinkverb[.]buzz
\n debtgenepub[.]live
\n poemtrainsurprise[.]top
\n quarterneighbourforward[.]xyz<\/td>\n		VexTrio Viper RDGA domains<\/td>\n<\/tr>\n
castrocountyjail[.]org
\n killeencityjail[.]org
\n lasalleparishjail[.]org
\n miamidadecountyjail[.]org
\n northcentralregionaljail[.]org<\/td>\n		Regional jail RDGA domains<\/td>\n<\/tr>\n
arenadiploma[.]com
\n area-diploman24[.]com
\n area-diplomans24[.]com
\n area-diploms24[.]com
\n area-diplomy24[.]com
\n areas-diplom[.]com
\n areas-diplom24[.]com
\n areas-diplomy24[.]com
\n arena-diplomsy24[.]com
\n arena-diplomy24[.]com <\/td>\n		Russian diploma scam RDGA domains <\/td>\n<\/tr>\n
chopprousite[.]ru
\n patiennerrhe[.]com
\n thougolograrly[.]ru
\n dintretonid[.]com
\n dintretrewor[.]com
\n dintrolletone[.]com
\n dintromparsup[.]com
\n direnrolpar[.]ru
\n hadhecrecled[.]com
\n hadrecrolof[.]ru
\n hadsparmirat[.]com
\n hanparolhar[.]com
\n rofromandfor[.]ru
\n rowrorofrat[.]com <\/td>\n		Hancitor C2 RDGA domains<\/td>\n<\/tr>\n

\n <\/tbody>\n<\/table>\n

Footnotes<\/h3>\n
    \n
  1. https:\/\/www.joesandbox.com\/analysis\/1466892\/0\/html<\/a><\/li>\n
  2. https:\/\/www.virustotal.com\/gui\/file\/7738ec817c97182e16e409767c55c87460d83d37b0442eb337bc2507763d4486\/relations<\/a><\/li>\n<\/ol>\n