{"id":8913,"date":"2023-09-26T07:00:54","date_gmt":"2023-09-26T14:00:54","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=8913"},"modified":"2024-04-26T13:31:31","modified_gmt":"2024-04-26T20:31:31","slug":"introducing-dns-threat-actors","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/introducing-dns-threat-actors\/","title":{"rendered":"Introducing DNS Threat Actors"},"content":{"rendered":"

Everyone loves a good whodunit. As the story of the recent attacks on MGM International and Caesars Entertainment unfolded, major news outlets competed to attribute an attacker to the ransomware that shut down a large portion of MGM operations. In the end, it looks like a threat actor called Scattered Spider leveraged the services of another threat actor called ALPHV, or BlackCat, to steal sensitive data and compel the company to disconnect networks from the internet.1<\/sup> The term actor is used to neutrally describe an entity which might be an individual, a company, a group, or a nation state. The security industry is rich with names for malicious actors and every organization in the field typically has their own naming conventions, which leads to multiple names like BlackCat and ALPHV for the same actor. Regardless of the naming convention, the names that are regularly reported are almost always associated with malware. In other words, the way in which malicious activity is attributed to an actor is deeply connected to what malware they use, how and where they deploy it, and the capabilities of the malware. When various malware or hacking campaigns can be tied back to an identity, it helps fulfill a natural desire to understand the motivations behind attacks \u2013 and it puts a name to the culprit.<\/p>\n

<\/p>\n

At Infoblox, we also track malicious actors, but we have found that the actors we track rarely align with those reported by others in the industry. Since the vast majority of players in the security field, whether commercial, government agencies, or non-profit organizations, are focused on investigating malware, the reporting on the topic and its related actors is extensive. On the other hand, while over 90% of all malware leverages the domain name system (DNS) according to the National Security Agency (NSA), there are very few companies that specialize in DNS and even fewer that report research derived from DNS.2<\/sup> As a result, the actors who control the DNS infrastructure used in these attacks are rarely distinguished from the malware, when in reality they are often distinct.<\/p>\n

Just as Scattered Spider used ransomware specialist BlackCat to attack MGM, there are threat actors that provide DNS infrastructure, meaning domain names and hosting, to malware actors. The relationships between these domains and IP addresses may be difficult to recognize, and the infrastructure may be entirely separate from any specific malware. We specialize in tracking these relationships and term the actors who control DNS infrastructure for nefarious purposes DNS threat actors<\/strong>.<\/p>\n

While they have been around for decades, DNS threat actors are generally unrecognized in the security community. We find that these actors are often able to maintain a malicious infrastructure for years with little notice from security vendors; the domain names they control may even be considered \u201creputable\u201d in major open source reputation checkers. As an example, in July 2022, we published on VexTrio, a DNS threat actor that uses a dictionary domain generation algorithm (DDGA) to continually grow its network. At the time of that first publication, VexTrio had been operating for over two years to deliver different types of malware, adware, and scams. Since then, others have reported on the malware distributed by VexTrio, but without making the connection to VexTrio itself.3<\/sup> Because we are monitoring the VexTrio network from a DNS perspective, our customers are protected, independent of the malware. VexTrio domain names continue to be unrecognized by most security vendors because their focus is not DNS, but rather malware or phishing. Others capture the landing page, or the malware, but not the delivery itself. As of this writing, Infoblox has detected nearly 60,000 domain names controlled by VexTrio. Since our publication in 2022, some vendors have begun detecting VexTrio domains, e.g., trueworeover[.]live, as \u201cgreyware\u201d, but do not recognize the malicious nature of their activities.<\/p>\n

To shed light on these operations being executed in the shadows, we are introducing the concept of DNS threat actors and plan to publish reports on some of the actors we track. Monitoring DNS threat actors allows us to identify related infrastructure and detect new domains and IP addresses as they emerge. The use of a DNS detection and response (DNS-DR) system, like BloxOne Threat Defense, then allows us to block the distribution of malware, phishing, scams, and illegal content before they even reach the end user. We are also developing more ways for our customers to interact with our DNS threat actor data to find forensic insights related to their own network.<\/p>\n

Associating a type of malware or a campaign to a malware threat actor can sometimes be straightforward, but will oftentimes require sophisticated analysis. The same is true of DNS threat actors. In some cases, the DNS actor might use dedicated nameservers which persist over time, but more often, determining whether a domain name or IP address is controlled by an actor can be a complex process. For example, one way we were able to distinguish domains controlled by different actors using the Decoy Dog malware kit was to use DNS logs to statistically identify the sleep time they had configured for compromised devices. In another recent example, attacks using iMessage texts that contained fake package delivery notifications from the U.S. Postal Service were attributed to a Chinese actor and associated to a specific domain registrar and hosting service provider in open source reporting. From our DNS perspective, however, we had detected those lookalike phishing domains as part of a larger set of activities using additional registrars and hosting providers. As the originally reported activity was thwarted, we were able to observe them sending iMessage spam that contained other domains we had flagged. In this case, a combination of timing and domain name properties had led to our decision to group the domains together prior to the public reporting.<\/p>\n

Also, similar to the malware criminal underground, many of the DNS threat actors we track are unnamed. We begin with sets of related domains and IP addresses, and over time we build these into more sophisticated DNS threat actor profiles to be monitored and named. Our focus for long-term tracking is on actors who have persisted over a year, although there are some actors we track who have been active for shorter times. In some cases we can determine the types of malicious activity the actor\u2019s network is supporting. We maintain knowledge of over 30k sets of related indicators today.<\/p>\n

While we are announcing DNS threat actors as a category today, tracking them is nothing new for us. We have had DNS signatures in place since 2018 to monitor the evolution of certain actors\u2019 infrastructure. Early algorithms detected newly registered domains used by the actors behind the Magnitude exploit kit and Hancitor malware, as well as specific DNS actors responsible for Slow Drip distributed denial of service (DDoS) attacks. Because we were able to predict the use of these domains, we confidently blocked their resolution at the DNS recursive resolver, protecting our customers before the actors could leverage them in their campaigns.<\/p>\n

We have published on several DNS threat actors, none of which align directly with known malware actors, and all of which have persisted in their activities for over a year. While each of these actors have been confirmed to deliver malware, DNS threat actors play a number of different roles in the online crime economy and use a wide range of techniques to accomplish their goals.<\/p>\n