{"id":4506,"date":"2024-07-17T11:53:39","date_gmt":"2024-07-17T16:53:39","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=10346"},"modified":"2024-07-17T11:53:39","modified_gmt":"2024-07-17T16:53:39","slug":"rdgas-the-next-chapter-in-domain-generation-algorithms","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/07\/17\/rdgas-the-next-chapter-in-domain-generation-algorithms\/","title":{"rendered":"RDGAs: The Next Chapter in Domain Generation Algorithms"},"content":{"rendered":"

Author: James Barnett<\/strong><\/h3>\n

This trailblazing report explores a burgeoning technique that threat actors are using to covertly transform the DNS threat landscape with millions of new domains. You\u2019ll learn how traditional malware-based domain generation algorithms (DGAs) have evolved into registered DGAs (RDGAs) that can be used for malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), and more. We\u2019ll unveil a new RDGA threat actor named Revolver Rabbit who\u2019s associated with XLoader malware. We\u2019ll also reveal how the notorious Hancitor malware used an RDGA to generate its C2 domains for years while most of the security industry remained oblivious to their methods. This blog discusses some of the highlights from our full research paper, which is available here<\/a>.<\/p>\n

For nearly two decades, threat actors have used domain generation algorithms (DGAs) to distribute malware. In recent years, threat actors have been employing a technique we call registered domain generation algorithms (RDGAs), in which the actor uses an algorithm to register many domain names at one time. RDGAs are considerably harder to detect and defend against than traditional DGAs, and despite their prevalence on the internet, they have been woefully underreported by the security community. We originally described RDGAs in October 2023 and have published on the topic multiple times since then.<\/p>\n

What Exactly Are RDGAs?<\/h3>\n

RDGAs are a programmatic mechanism that allows threat actors to create many domain names at once, or over time, to register for use in their criminal infrastructure. These differ significantly from the traditional domain generation algorithms (DGAs) that have long been associated with malware. In an RDGA, the algorithm is a secret kept by the threat actor, and they register all the domain names. In a traditional DGA, the malware contains an algorithm that can be discovered and most of the domain names will not be registered.<\/p>\n\n\n\n\n
\n <\/td>\n<\/tr>\n
Figure 1. Illustration of the difference in domain registration behaviors of traditional DGAs and registered DGAs.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

While traditional DGAs are used exclusively for connection to a malware controller, RDGAs can be used for a wide range of purposes including malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), or essentially any activity that benefits from having large numbers of domain names. We\u2019ll cover a couple interesting cases of RDGA usage for this blog, but there are far more examples in our full research paper.<\/p>\n

Threat actors, criminal enterprises, and legitimate businesses all use RDGAs.<\/strong> Registrars like Namecheap even offer tools to generate variants of a chosen domain name, and these tools can be leveraged by anyone \u2014 legitimate customers or threat actors. <\/p>\n\n\n\n\n
\n <\/td>\n<\/tr>\n
Figure 2. Namecheap\u2019s \u201cBeast Mode\u201d is a fully-featured graphical RDGA builder available to all customers<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Why Call It RDGA?<\/h3>\n

We coined this phrase and acronym because the term \u201cDGA\u201d has become broadly overused<\/strong> in the years since the concept was introduced, effectively serving as an umbrella term for any domain that is (or appears to be) algorithmically generated. In the same way that the concept of dictionary DGAs (DDGAs) was introduced to distinguish algorithms that generate domains using real words rather than random characters, we\u2019re using the concept of RDGAs to distinguish algorithms that threat actors use to privately register large numbers of domains from algorithms embedded in publicly-available malware<\/strong> to make their C2 communications more difficult to disrupt. <\/p>\n

What Do RDGAs Look Like?<\/h3>\n

Just like traditional DGAs, RDGAs come in all shapes and sizes.<\/strong> Some look like prototypical DGAs with seemingly random characters and a high degree of entropy, as Tables 1 and 2<\/strong> show: <\/p>\n\n\n\n\n
6rnd9mitqt1rz82[.]top
7r7suw52ls00i20[.]top
9w9ohb5vky5p3dz[.]top
bjbntaxmh09r09e[.]top
qcj4pirltkpqrcu[.]top\n<\/td>\n<\/tr>\n
Table 1. Prototypical DGA used by a SocGholish\/TA569 affiliate <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n\n\n\n
h87e1mbm0u5f85[.]xyz
n8j1nau3os4otr[.]xyz
xnnxr1jquyupjc[.]xyz
xqajkr8fbrdryp0[.]xyz
xryqcgcb2upb28k[.]xyz\n<\/td>\n<\/tr>\n
Table 2. RDGA for a weight loss pill scam <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table 3<\/strong> shows that other RDGAs use nonsensical combinations of dictionary words like a traditional DDGA: <\/p>\n\n\n\n\n
arriveplanetsnow[.]buzz
coatthinkverb[.]buzz
debtgenepub[.]live
poemtrainsurprise[.]top
quarterneighbourforward[.]xyz\n<\/td>\n<\/tr>\n
Table 3. VexTrio Viper RDGA <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Some RDGAs use a limited set of dictionary words in a more structured format in order to fit a theme, like this set of domains in Table 4<\/strong>, whose names correspond to various regional jails: <\/p>\n\n\n\n\n
castrocountyjail[.]org
killeencityjail[.]org
lasalleparishjail[.]org
miamidadecountyjail[.]org
northcentralregionaljail[.]org\n<\/td>\n<\/tr>\n
Table 4. RDGA with a regional jail theme<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Still other RDGAs generate variations of a single domain name by inserting, shifting, or deleting characters from the base domain name (see Table 5<\/strong>). More often than not, the character changes in these variant domain names follow some sort of structure so that the generated domains are still somewhat intelligible and similar to the base domain, like the following set of RDGA domains for a Russian diploma mill: <\/p>\n\n\n\n\n
arenadiploma[.]com
area-diploman24[.]com
area-diplomans24[.]com
area-diploms24[.]com
area-diplomy24[.]com
areas-diplom[.]com
areas-diplom24[.]com
areas-diplomy24[.]com
arena-diplomsy24[.]com
arena-diplomy24[.]com\n<\/td>\n<\/tr>\n
Table 5. RDGA for a Russian diploma mill <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Clearly, RDGAs come in a variety of forms and their domains may not be immediately recognizable when viewed in isolation. This is why researching and identifying RDGAs requires access to large-scale DNS data and enough DNS expertise to properly analyze it. <\/strong><\/p>\n

Hancitor: Using RDGAs Before It Was Cool<\/h3>\n

If you\u2019re reading this blog, there\u2019s a good chance you\u2019ve heard of Hancitor malware.<\/strong> Although it hasn\u2019t been active recently, it was an incredibly popular malware loader with prolific malspam campaigns that regularly delivered booby-trapped documents to unsuspecting victims for the better part of a decade. What most people don\u2019t realize about Hancitor is that they were using an RDGA to generate all of their C2 domains,<\/strong> which meant they could be detected in DNS and blocked before their campaigns even became active. <\/p>\n

Looking at the C2 domains embedded in a single sample of Hancitor (Table 6<\/strong>), the pattern isn\u2019t obvious. <\/p>\n\n\n\n\n
chopprousite[.]ru
patiennerrhe[.]com
thougolograrly[.]ru\n<\/td>\n<\/tr>\n
Table 6. Hancitor C2 domains from one sample<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The C2s are nonsensical and look like DGA domains, but they don\u2019t contain numbers or lots of high-entropy strings like a randomized traditional DGA. Some of them appear to contain English words like a DDGA, but they\u2019re not exclusively made of intelligible words like a standard DDGA. While all of these observations are true, and they may even help identify Hancitor domains during manual threat hunting, they aren\u2019t enough to fully characterize the algorithm and build an automated detector for it. <\/p>\n

If we look at a larger list of Hancitor C2 domains taken from multiple samples, however, the underlying patterns of its RDGA become more apparent (Table 7<\/strong>): <\/p>\n\n\n\n\n
dintretonid[.]com
dintretrewor[.]com
dintrolletone[.]com
dintromparsup[.]com
direnrolpar[.]ru
hadhecrecled[.]com
hadrecrolof[.]ru
hadsparmirat[.]com
hanparolhar[.]com
rofromandfor[.]ru
rowrorofrat[.]com\n<\/td>\n<\/tr>\n
Table 7. Selected Hancitor C2 domains taken from various samples<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

From this set of domains we can see that Hancitor\u2019s RDGA has a tendency to repeat specific sequences of characters,<\/strong> such as \u201cdi\u201d and \u201cha.\u201d We could infer that the reason its domains appear random while having fairly low entropy is that the character sequences it uses are common in English words.<\/strong> <\/p>\n

Infoblox recognized these peculiarities of the Hancitor RDGA in 2018<\/strong> and created a statistical model to identify domains that follow Hancitor\u2019s RDGA pattern. By combining this with our knowledge of Hancitor\u2019s registration patterns and DNS signatures, we created a predictive analytic to identify and block Hancitor C2 domains before they were used in active campaigns. <\/p>\n

Meet Revolver Rabbit<\/h3>\n

One of the most prolific unclassified RDGA actors we\u2019ve found, which we\u2019ve named Revolver Rabbit, has registered over 500k domains on the .bond TLD alone. <\/strong>Their RDGA pattern is unique but also highly variable, which makes some of their domains difficult to identify without additional DNS context. <\/p>\n

The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash (see Table 8<\/strong>). When multiple dictionary words are used, they usually form coherent phrases rather than appearing completely random. <\/p>\n\n\n\n\n
assisted-living-11607[.]bond
online-jobs-42681[.]bond
perfumes-76753[.]bond
security-surveillance-cameras-42345[.]bond
yoga-classes-35904[.]bond\n<\/td>\n<\/tr>\n
Table 8. Examples of most common RDGA pattern for Revolver Rabbit<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Sometimes the actor uses ISO 3166-1 country codes, full country names, or numbers corresponding to years instead of dictionary words (see Tables 9A and 9B<\/strong>). They tend to use these elements as prefixes or suffixes, and the domains that use them generally omit the standard five-digit numerical suffix regardless of whether the element is being used as a prefix or suffix.<\/p>\n\n\n\n\n
ai-courses-12139[.]bond
ai-courses-13069[.]bond
ai-courses-14729[.]bond
ai-courses-16651[.]bond
ai-courses-17621[.]bond
app-software-development-training-52686[.]bond
app-software-development-training-54449[.]bond
app-software-development-training-55554[.]bond
app-software-development-training-57549[.]bond<\/td>\n		ai-courses-2024-pe[.]bond
ai-courses-2024-pk[.]bond
ai-courses-2024sa[.]bond
ai-courses2023-in[.]bond
ai-courses2023in[.]bond
ai-courses2024in[.]bond
app-software-development-italy[.]bond
app-software-development-training-usa[.]bond<\/td>\n<\/tr>\n
Table 9A. Domains using the basic pattern<\/td>\nTable 9B. Domains using country codes, country names, and year numbers <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Tables 10A and 10B<\/strong> show how the actor occasionally replaces their standard five-digit suffix with one or two digits followed by a single character.<\/p>\n\n\n\n\n
online-degrees-16099[.]bond
portable-air-conditioner-12322[.]bond
river-cruises-13890[.]bond
roofing-services-10175[.]bond
travel-insurance-43494[.]bond<\/td>\n		usa-online-degree-29o[.]bond
bra-portable-air-conditioner-9o[.]bond
uk-river-cruises-8n[.]bond
rsa-roofing-services-8n[.]bond
col-travel-insurance-3n[.]bond<\/td>\n<\/tr>\n
Table 10A. Domains using the basic pattern<\/td>\nTable 10B. Domains using 1-2 digits and a single letter<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Tables 11A and 11B<\/strong> show that in some cases the actor uses two dashes in a row rather than the single dash they normally use. <\/p>\n\n\n\n
welding-machines-10120[.]bond
welding-machines-35450[.]bond
welding-machines-56397[.]bond
welding-machines-76813[.]bond
welding-machines-99146[.]bond<\/td>\n		welding-machines\u2212\u221211015[.]bond
welding-machines\u2212\u221231109[.]bond
welding-machines\u2212\u221256717[.]bond
welding-machines\u2212\u221275378[.]bond
welding-machines\u2212\u221297422[.]bond<\/td>\n<\/tr>\n		Table 11A. Domains using the basic pattern<\/td>\nTable 11B. Domains using two dashes instead of one<\/td>\n<\/tbody>\n<\/table>\n

The amount of variation in this actor\u2019s RDGA highlights the need for advanced DNS expertise and visibility when implementing automated RDGA detection. While many of their domains follow a basic pattern that could be detected with regular expressions or other string-based matching, they also have a number of domains that use different patterns. The similarities between this actor\u2019s patterns may be obvious to a human observer, but for an automated detector to accurately group these somewhat disparate domains together, additional DNS context is required. <\/p>\n

We initially planned to publish Revolver Rabbit as an example of an interesting but unclassified RDGA actor, but during our research we found their domains being used as both active C2s and decoy domains in XLoader (a.k.a. Formbook) malware samples.i, ii This discovery further underscores the importance of RDGA detection and analysis, as without it actors like Revolver Rabbit can operate undetected despite their massive network footprints.<\/p>\n

Unknown RDGAs Are on the Rise<\/h3>\n

For every RDGA like VexTrio Viper<\/a> that we\u2019ve extensively researched and published on, we\u2019ve detected thousands of other RDGAs whose purposes remain largely unknown. Given the wide array of malicious activity we\u2019ve observed from the RDGAs we know, the sheer quantity of unknown RDGAs is a matter of significant interest and concern. The patterns and DNS signatures that tie RDGA domains together can only be identified by large-scale analysis, so unknown RDGA domains are able to function largely unimpeded on networks that aren\u2019t protected by advanced DNS analytics like ours. <\/p>\n

In the six-month period from October 17, 2023 to April 17, 2024, our RDGA detectors identified over 2M unique RDGA domains, or an average of over 11k new RDGA domains per day (see Figure 3<\/strong>). <\/p>\n\n\n\n\n
\n\n<\/td>\n<\/tr>\n
Figure 3. Daily RDGA domain detection counts from October 17, 2023 to April 17, 2024 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Our detectors initially clustered these domains into roughly 117k unique actor groups, which we later reduced to roughly 52k actor groups using a combination of automated refinements and manual analysis (see Figure 4<\/strong>). <\/p>\n\n\n\n\n
\n\n<\/td>\n<\/tr>\n
Figure 4. Daily RDGA actor cluster counts from October 17, 2023 to April 17, 2024 <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The key takeaway from these statistics is that there are so many RDGA domains being registered that the security industry will never be able to research them all.<\/strong> It can take months for human researchers to understand a threat to the point that they can publish on it, but it only takes a day for RDGA actors to register tens of thousands of new domains for researchers to investigate.<\/strong> This is why automated detection is the only viable defense against RDGA threats.<\/strong> <\/p>\n

Learn more about RDGAs in our full research report here<\/a>.<\/p>\n

Conclusion<\/h3>\n

RDGA domains are associated with a panoply of dubious activities that most organizations don\u2019t want on their networks.<\/strong> But despite being used to register millions of new domains, RDGAs have gone almost entirely unrecognized by the security industry. This lack of reporting is likely due to the fact that RDGA detection requires both significant DNS expertise and access to large volumes of DNS data. Organizations should be aware of the threat that RDGAs pose to their networks, and should implement security solutions that include automated RDGA detection. <\/strong><\/p>\n

Indicators of Activity<\/h3>\n

Below is a sample of indicators used by the RDGA threat actors we mentioned in this blog. Indicators are also available in our GitHub repository\u202fhere<\/a>.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n
Indicator<\/th>\nType of Indicator <\/th>\n<\/tr>\n<\/thead>\n
6rnd9mitqt1rz82[.]top
7r7suw52ls00i20[.]top 9w9ohb5vky5p3dz[.]top
bjbntaxmh09r09e[.]top
qcj4pirltkpqrcu[.]top<\/td>\n		SocGholish\/TA569 affiliate traditional DGA domains<\/td>\n<\/tr>\n
h87e1mbm0u5f85[.]xyz
n8j1nau3os4otr[.]xyz
xnnxr1jquyupjc[.]xyz
xqajkr8fbrdryp0[.]xyz
xryqcgcb2upb28k[.]xyz <\/td>\n		Weight loss pill scam RDGA domains <\/td>\n<\/tr>\n
arriveplanetsnow[.]buzz
coatthinkverb[.]buzz
debtgenepub[.]live
poemtrainsurprise[.]top
quarterneighbourforward[.]xyz<\/td>\n		VexTrio Viper RDGA domains<\/td>\n<\/tr>\n
castrocountyjail[.]org
killeencityjail[.]org
lasalleparishjail[.]org
miamidadecountyjail[.]org
northcentralregionaljail[.]org<\/td>\n		Regional jail RDGA domains<\/td>\n<\/tr>\n
arenadiploma[.]com
area-diploman24[.]com
area-diplomans24[.]com
area-diploms24[.]com
area-diplomy24[.]com
areas-diplom[.]com
areas-diplom24[.]com
areas-diplomy24[.]com
arena-diplomsy24[.]com
arena-diplomy24[.]com <\/td>\n		Russian diploma scam RDGA domains <\/td>\n<\/tr>\n
chopprousite[.]ru
patiennerrhe[.]com
thougolograrly[.]ru
dintretonid[.]com
dintretrewor[.]com
dintrolletone[.]com
dintromparsup[.]com
direnrolpar[.]ru
hadhecrecled[.]com
hadrecrolof[.]ru
hadsparmirat[.]com
hanparolhar[.]com
rofromandfor[.]ru
rowrorofrat[.]com <\/td>\n		Hancitor C2 RDGA domains<\/td>\n<\/tr>\n
assisted-living-11607[.]bond
online-jobs-42681[.]bond
perfumes-76753[.]bond
security-surveillance-cameras-42345[.]bond
yoga-classes-35904[.]bond
ai-courses-12139[.]bond
ai-courses-13069[.]bond
ai-courses-14729[.]bond
ai-courses-16651[.]bond
ai-courses-17621[.]bond
app-software-development-training-52686[.]bond
app-software-development-training-54449[.]bond
app-software-development-training-55554[.]bond
app-software-development-training-57549[.]bond
ai-courses-2024-pe[.]bond
ai-courses-2024-pk[.]bond
ai-courses-2024sa[.]bond
ai-courses2023-in[.]bond
ai-courses2023in[.]bond
ai-courses2024in[.]bond
app-software-development-italy[.]bond
app-software-development-training-usa[.]bond<\/p>\n

online-degrees-16099[.]bond
portable-air-conditioner-12322[.]bond
river-cruises-13890[.]bond
roofing-services-10175[.]bond
travel-insurance-43494[.]bond
usa-online-degree-29o[.]bond
bra-portable-air-conditioner-9o[.]bond
uk-river-cruises-8n[.]bond
rsa-roofing-services-8n[.]bond
col-travel-insurance-3n[.]bond
welding-machines-10120[.]bond
welding-machines-35450[.]bond
welding-machines-56397[.]bond
welding-machines-76813[.]bond
welding-machines-99146[.]bond
welding-machines\u2212\u221211015[.]bond
welding-machines\u2212\u221231109[.]bond
welding-machines\u2212\u221256717[.]bond
welding-machines\u2212\u221275378[.]bond
welding-machines\u2212\u221297422[.]bond <\/p>\n<\/td>\n

Revolver Rabbit RDGA domains <\/td>\n<\/tr>\n
tires-book-robust[.]bond
laser-skin-treatment-19799[.]bond
pool-repair-35063[.]bond
apartments-for-rent-72254[.]bond
hemophilia-treatment-41433[.]bond <\/td>\n		Revolver Rabbit RDGA domains used as C2 \/ decoy domains for XLoader malware <\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n