{"id":8937,"date":"2023-10-05T06:00:34","date_gmt":"2023-10-05T13:00:34","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=8937"},"modified":"2024-04-26T13:29:58","modified_gmt":"2024-04-26T20:29:58","slug":"rdgas-the-new-face-of-dgas","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/","title":{"rendered":"RDGAs: The New Face of DGAs"},"content":{"rendered":"<h3>Author: Darby Wise<\/h3>\n<p>&nbsp;<\/p>\n<p>Following our publication introducing the concept of DNS threat actors, we will be taking a closer look at a few types of actors we have been researching and how they are using DNS to orchestrate complex campaigns. These threat actors are increasingly leveraging domain generation algorithms to create, register, and then actively use a large set of domains over time; a method that uses what we call a <strong>registered domain generation algorithm<\/strong>, or <strong>RDGA<\/strong>. Similar to a traditional DGA, RDGAs generate large numbers of domains used by threat actors for command and control (C2) operations in campaigns and other malicious activities. However, RDGAs involve several updates to the standard tactics, techniques, and procedures (TTPs) of DGAs that can enhance an actor\u2019s capabilities.<\/p>\n<p>Since 2015, Infoblox has provided DNS detection and response of domain generation algorithms (DGAs): a common tool employed by DNS threat actors to distribute malware, adware, phishing campaigns, and other illegal content. We have developed our own dedicated algorithms for detecting this specific type of behavior. Not only do our algorithms allow us to proactively block these domains and protect our customers, they enable us to engage in long-term tracking of large-scale DGA networks. From this, we have observed a significant change in behavior regarding the way some actors have been using DGAs: a shift toward registered DGAs.<\/p>\n<h3>DGA vs. RDGA: What\u2019s New?<\/h3>\n<p>Before diving into RDGAs, it\u2019s important to understand how a traditional DGA works. DGAs are algorithms that typically reside within the malware distributed by threat actors. These algorithms are programmed to generate any number of pseudorandom domain names, and the malware cycles through them to find one that enables it to communicate with the attacker\u2019s C2. This allows for the attacker to evade detection and blocking mechanisms by offering alternative domains that can quickly replace any that may be deemed malicious or blocklisted. Before the invention of DGAs, IP addresses or domain names were hardcoded into the malware and were quickly thwarted once the malware was discovered.<\/p>\n<p>The main difference between this traditional use of a DGA and an RDGA is right there in the name: they\u2019re registered. With a standard DGA, the algorithm is incorporated in the malware itself and only a small percentage of the domains created by the algorithm are actually registered. This means that most of the DNS queries made by the infected device will result in an NXDOMAIN (non-existent domain) error message as a response.<\/p>\n<p>The report on Bumblebee Loader published by Intel471<sup>1<\/sup> offers a recent example of a threat actor using a traditional DGA. After having gone on a short hiatus, the actors behind Bumblebee updated the malware\u2019s capabilities to, among other things, use a DGA for C2 communications. Previously relying on a hardcoded list of C2 domains, this malware now iterates through a list of 100 domains generated by the algorithm until it receives a successful response, indicating only some of the domains were registered. We have provided some of these domains below in Table 1.<\/p>\n<table>\n<tbody>\n<tr>\n<td>keoauupcj2n[.]life<\/td>\n<td>kfjgd8tquo8[.]life<\/td>\n<\/tr>\n<tr>\n<td>km87l2nqldk[.]life<\/td>\n<td>knof8y1kufn[.]life<\/td>\n<\/tr>\n<tr>\n<td>jfcrw26vapn[.]life<\/td>\n<td>jdjme813v37[.]life<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Table 1. A sample of domains from a DNS threat actor using a traditional DGA to deliver Bumblebee malware<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>An RDGA, on the other hand, is used by the actor<sup>2<\/sup> to create domains that will all be registered. We have observed different types of behavior following registration, where threat actors will either use the domains in campaigns right away, or they will strategically age them over a period of time in an attempt to build credibility.<\/p>\n<p>With one of our algorithms for detecting RDGAs, we observed a DNS threat actor using this strategy of aging registered domains to deliver different types of malware, including one security vendors detected as Sparkle, a variety of malware associated with a Chinese advanced persistent threat (APT) actor. The actor aged these domains for about three months before using them as part of a campaign in June 2023. A sample of these domains can be found in the table below, along with other examples of RDGA domains from various DNS threat actors.<\/p>\n<table>\n<tbody>\n<tr>\n<td>333cc777cc[.]com<\/p>\n<p>5336767ccc[.]com<\/p>\n<p>a558877aa[.]com<\/p>\n<p>dd12345bb[.]com<\/p>\n<p>ggggg13677[.]com<\/p>\n<p>jj778899jj[.]com<\/td>\n<td>Domains used by Chinese APT actor delivering Sparkle payload<\/td>\n<\/tr>\n<tr>\n<td>steamcomminlty[.]ru<\/p>\n<p>steamcommunitity[.]ru<\/p>\n<p>sleamconnmunity[.]ru<\/p>\n<p>staemcammunlty[.]ru<\/td>\n<td>Domains generated to impersonate Steam\u2019s Community website (steamcommunity[.]com)<\/td>\n<\/tr>\n<tr>\n<td>bjibnpgku[.]com<\/p>\n<p>enycayeobyiktuo[.]com<\/p>\n<p>jgleqolq[.]xyz<\/p>\n<p>nbykjinswdtbrrb[.]com<\/p>\n<p>omklefkior[.]com<\/td>\n<td>Domains from an RDGA cluster that use layers of redirection to obfuscate malware delivery<\/td>\n<\/tr>\n<tr>\n<td>herearmyelse[.]live<\/p>\n<p>aimkeensuch[.]live<\/p>\n<p>wigstopbiz[.]live<\/p>\n<p>pettestpage[.]live<\/p>\n<p>dutysitkeep[.]live<\/td>\n<td>Registered domains generated by a dictionary DGA (DDGA) associated with VexTrio<\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">Table 2. A sample of domains from multiple DNS threat actors using RDGAs<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Because the domains created by an RDGA will result in far fewer NXDOMAIN responses, it can be more difficult for the security community to detect and block them, thus enabling the threat actor to create a more sophisticated attack while flying under the radar. Traditional DGAs, like the one recently added to Bumblebee, are often captured by the security community because reverse engineers are able to recreate the underlying algorithm; in an RDGA, the algorithm remains private to the DNS threat actor. We have updated our algorithms to track this kind of behavior along with traditional DGAs to ensure our customers are protected.<\/p>\n<p>An RDGA is just one of many tools used by DNS threat actors as they conduct their nefarious operations. While we still observe some traditional DGAs, they are not as common as they were 5-7 years ago. We have seen a continual increase in the use of RDGAs over the past few years with some DNS threat actors maintaining over 80k domains at a time. Every day, we add thousands of new RDGA domains to our block lists from known DNS threat actors and others emerging into view. RDGAs are indeed the new face of DGAs. In the coming months, we will release publications on more of these actors, diving deep into the differences between them, as well as highlighting common trends and the TTPs we\u2019re observing.<\/p>\n<h3 style=\"font-size:18px;\">Endnotes<\/h3>\n<ol style=\"font-size:14px;\">\n<li><strong><a href=\"https:\/\/intel471.com\/blog\/bumblebee-loader-resurfaces-in-new-campaign\" target=\"_blank\" rel=\"noopener\">https:\/\/intel471.com\/blog\/bumblebee-loader-resurfaces-in-new-campaign<\/a><\/strong><\/li>\n<li><strong><a href=\"https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/suspicious-dga-domains-discovered-in-dns-turn-up-in-malware-campaigns\/\" target=\"_blank\" rel=\"noopener\">https:\/\/blogs.infoblox.com\/cyber-threat-intelligence\/suspicious-dga-domains-discovered-in-dns-turn-up-in-malware-campaigns\/<\/a><\/strong><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>Author: Darby Wise &nbsp; Following our publication introducing the concept of DNS threat actors, we will be taking a closer look at a few types of actors we have been researching and how they are using DNS to orchestrate complex campaigns. These threat actors are increasingly leveraging domain generation algorithms to create, register, and then [&hellip;]<\/p>\n","protected":false},"author":397,"featured_media":9929,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[254],"tags":[505,228,30,896,893,894,895,914,774,32,361,740,913,40],"class_list":{"0":"post-8937","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence","8":"tag-adware","9":"tag-bloxone-threat-defense","10":"tag-dns","11":"tag-dns-detection-response","12":"tag-domain-name-system","13":"tag-indicators","14":"tag-information-security","15":"tag-malicious-actor","16":"tag-malvertising","17":"tag-malware","18":"tag-network-security","19":"tag-protective-dns","20":"tag-threat-actor","21":"tag-threat-intelligence","22":"entry"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>RDGAs: The New Face of Domain Generation Algorithms | Infoblox<\/title>\n<meta name=\"description\" content=\"Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"RDGAs: The New Face of Domain Generation Algorithms | Infoblox\" \/>\n<meta property=\"og:description\" content=\"Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/\" \/>\n<meta property=\"og:site_name\" content=\"Infoblox Blog\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-05T13:00:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-04-26T20:29:58+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/rdgas-the-new-face-of-dgas-thumbnail.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"612\" \/>\n\t<meta property=\"og:image:height\" content=\"405\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Infoblox Threat Intel\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:title\" content=\"RDGAs: The New Face of Domain Generation Algorithms | Infoblox\" \/>\n<meta name=\"twitter:description\" content=\"Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Infoblox Threat Intel\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/\"},\"author\":{\"name\":\"Infoblox Threat Intel\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\"},\"headline\":\"RDGAs: The New Face of DGAs\",\"datePublished\":\"2023-10-05T13:00:34+00:00\",\"dateModified\":\"2024-04-26T20:29:58+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/\"},\"wordCount\":1039,\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/rdgas-the-new-face-of-dgas-thumbnail.jpg\",\"keywords\":[\"adware\",\"BloxOne\u00ae Threat Defense\",\"DNS\",\"DNS Detection &amp; Response\",\"Domain Name System\",\"indicators\",\"information security\",\"malicious actor\",\"malvertising\",\"Malware\",\"Network Security\",\"Protective DNS\",\"threat actor\",\"Threat Intelligence\"],\"articleSection\":[\"Infoblox Threat Intel\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/\",\"name\":\"RDGAs: The New Face of Domain Generation Algorithms | Infoblox\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/rdgas-the-new-face-of-dgas-thumbnail.jpg\",\"datePublished\":\"2023-10-05T13:00:34+00:00\",\"dateModified\":\"2024-04-26T20:29:58+00:00\",\"description\":\"Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/rdgas-the-new-face-of-dgas-thumbnail.jpg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/rdgas-the-new-face-of-dgas-thumbnail.jpg\",\"width\":612,\"height\":405},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/threat-intelligence\\\/rdgas-the-new-face-of-dgas\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Infoblox Threat Intel\",\"item\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"RDGAs: The New Face of DGAs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"name\":\"infoblox.com\\\/blog\\\/\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#organization\",\"name\":\"Infoblox\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"contentUrl\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/wp-content\\\/uploads\\\/infoblox-logo-2.svg\",\"width\":137,\"height\":30,\"caption\":\"Infoblox\"},\"image\":{\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/#\\\/schema\\\/person\\\/b6aed8965e3298a0817c16d32c0a67ae\",\"name\":\"Infoblox Threat Intel\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"url\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"contentUrl\":\"https:\\\/\\\/blogs.infoblox.com\\\/wp-content\\\/uploads\\\/avatar_user_397_1714162589-96x96.png\",\"caption\":\"Infoblox Threat Intel\"},\"description\":\"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.\",\"url\":\"https:\\\/\\\/www.infoblox.com\\\/blog\\\/author\\\/infoblox-threat-intel\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"RDGAs: The New Face of Domain Generation Algorithms | Infoblox","description":"Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/","og_locale":"en_US","og_type":"article","og_title":"RDGAs: The New Face of Domain Generation Algorithms | Infoblox","og_description":"Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.","og_url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/","og_site_name":"Infoblox Blog","article_published_time":"2023-10-05T13:00:34+00:00","article_modified_time":"2024-04-26T20:29:58+00:00","og_image":[{"width":612,"height":405,"url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/rdgas-the-new-face-of-dgas-thumbnail.jpg","type":"image\/jpeg"}],"author":"Infoblox Threat Intel","twitter_card":"summary_large_image","twitter_title":"RDGAs: The New Face of Domain Generation Algorithms | Infoblox","twitter_description":"Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.","twitter_misc":{"Written by":"Infoblox Threat Intel","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/#article","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/"},"author":{"name":"Infoblox Threat Intel","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae"},"headline":"RDGAs: The New Face of DGAs","datePublished":"2023-10-05T13:00:34+00:00","dateModified":"2024-04-26T20:29:58+00:00","mainEntityOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/"},"wordCount":1039,"publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/rdgas-the-new-face-of-dgas-thumbnail.jpg","keywords":["adware","BloxOne\u00ae Threat Defense","DNS","DNS Detection &amp; Response","Domain Name System","indicators","information security","malicious actor","malvertising","Malware","Network Security","Protective DNS","threat actor","Threat Intelligence"],"articleSection":["Infoblox Threat Intel"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/","url":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/","name":"RDGAs: The New Face of Domain Generation Algorithms | Infoblox","isPartOf":{"@id":"https:\/\/www.infoblox.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/#primaryimage"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/#primaryimage"},"thumbnailUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/rdgas-the-new-face-of-dgas-thumbnail.jpg","datePublished":"2023-10-05T13:00:34+00:00","dateModified":"2024-04-26T20:29:58+00:00","description":"Think you know what DGA means? Think Again. RDGAs are used to register tens of thousands of domains by DNS threat actors every day.","breadcrumb":{"@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/#primaryimage","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/rdgas-the-new-face-of-dgas-thumbnail.jpg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/rdgas-the-new-face-of-dgas-thumbnail.jpg","width":612,"height":405},{"@type":"BreadcrumbList","@id":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/rdgas-the-new-face-of-dgas\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.infoblox.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Infoblox Threat Intel","item":"https:\/\/www.infoblox.com\/blog\/category\/threat-intelligence\/"},{"@type":"ListItem","position":3,"name":"RDGAs: The New Face of DGAs"}]},{"@type":"WebSite","@id":"https:\/\/www.infoblox.com\/blog\/#website","url":"https:\/\/www.infoblox.com\/blog\/","name":"infoblox.com\/blog\/","description":"","publisher":{"@id":"https:\/\/www.infoblox.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.infoblox.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.infoblox.com\/blog\/#organization","name":"Infoblox","url":"https:\/\/www.infoblox.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","contentUrl":"https:\/\/www.infoblox.com\/blog\/wp-content\/uploads\/infoblox-logo-2.svg","width":137,"height":30,"caption":"Infoblox"},"image":{"@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.infoblox.com\/blog\/#\/schema\/person\/b6aed8965e3298a0817c16d32c0a67ae","name":"Infoblox Threat Intel","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","url":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","contentUrl":"https:\/\/blogs.infoblox.com\/wp-content\/uploads\/avatar_user_397_1714162589-96x96.png","caption":"Infoblox Threat Intel"},"description":"Infoblox Threat Intel is the leading creator of original DNS threat intelligence, distinguishing itself in a sea of aggregators. What sets us apart? Two things: mad DNS skills and unparalleled visibility. DNS is notoriously tricky to interpret and hunt from, but our deep understanding and unique access to the internet's inner workings allow us to track down threat actors that others can't see. We're proactive, not just defensive, using our insights to disrupt cybercrime where it begins. We also believe in sharing knowledge to support the broader security community by publishing detailed research and releasing indicators on GitHub. In addition, our intel is seamlessly integrated into our Infoblox Protective DNS solutions, so customers automatically get its benefits, along with ridiculously low false positive rates.","url":"https:\/\/www.infoblox.com\/blog\/author\/infoblox-threat-intel\/"}]}},"_links":{"self":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/8937","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/users\/397"}],"replies":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/comments?post=8937"}],"version-history":[{"count":4,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/8937\/revisions"}],"predecessor-version":[{"id":9172,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/posts\/8937\/revisions\/9172"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media\/9929"}],"wp:attachment":[{"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/media?parent=8937"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/categories?post=8937"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.infoblox.com\/blog\/wp-json\/wp\/v2\/tags?post=8937"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}