To host command-and-control (C2) servers, distribute malware, or perform other malicious activities, hackers need a domain name. They can automate the process of obtaining domain names with a domain generation algorithm (DGA). However, in order to actually use these domains, they also need to register them with a domain registrar.
To achieve this, a group of hackers began using Domain Name Gathering Algorithms (RDGA), which unfortunately seem to be working.
Cybersecurity researchers at Infoblox Threat Intel reported that a threat actor named Revolver Rabbit registered over 500,000 domains this way, which would have required investing at least $1 million, which is a large sum of money.
A profitable effort
The hacker used RDGA to create command and control (C2) domains and bait for the XLoader data-stealing malware.
XLoader is a powerful and versatile malware that performs multiple functions, including data theft, credential theft, and functioning as a remote access trojan (RAT). It is an evolution of the notorious FormBook malware, which was also known for its information-stealing capabilities. XLoader has been used in several cybercriminal campaigns, often targeting both Windows and macOS platforms.
“This should be a profitable malware for Revolver Rabbit given its investment in domain names,” the researchers said. “Connecting Revolver Rabbit’s RDGA to established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.”
The Infoblox report concluded that RDGAs are a “formidable and underappreciated” threat. By using this novel technique, threat actors can easily scale their spam, malware, and scam operations, most often going unnoticed by the cybersecurity industry. Indeed, Infoblox regularly discovers “tens of thousands of new domains,” which are then captured in asset pools controlled by the actors.
Most of these domains, researchers say, remain undetected by the security industry. Revolver Rabbit's activity continued for nearly a year and was not flagged as malicious.
