Infoblox uncovers hidden world of RDGAs

Infoblox uncovers hidden world of RDGAs

Melsis 2024 728x90Intelligence on InfoBlocks Threats release him Threat landscape study Registered Domain Generation Algorithms (RDGAs) are used by malicious actors today. RDGA differs from traditional malicious Domain Generation Algorithms (DGAs) in that all domains are registered. Infoblox was First to describe the technology In October 2023. RDGAs allow actors to quickly scale their operations and avoid detection. Since the terminology was introduced, Infoblox has published research showing how RDGAs have been used in malware and malicious link shorteners (Puma is prolific.), and in traffic distribution systems (Fix Trio Fiber/The clever seahorse).

Infoblox Threat Intel has developed multiple algorithms to detect and track RDGAs in the wild, including a patent-pending detection of emerging clusters of RDGA domains. Using these detectors, Infoblox discovers tens of thousands of new domains every day, capturing them in clusters of assets controlled by the threat actors. Surprisingly, most of these domains go unnoticed by the security industry. In a new study of the RDGA threat landscape, Infoblox finds that the use of RDGAs has grown over the past few years and details how the domains created with them are being used, including a variety of examples from phishing to malware.

The most prominent example was an RDGA controlled by the Infoblox actor called Revolver Rabbit. This actor registered over 500,000 domains, costing over $1 million in registration fees. At the same time, discovering the purpose of these domains was a challenge. Infoblox Threat Intel had been tracking Revolver Rabbit for about a year but remained puzzled for months about the threat actor’s motivations. How could so many domains be registered without any trace of malicious activity? Infoblox recently solved the puzzle: Revolver Rabbit uses RDGA to create command-and-control (C2) domains and dummy domains for the XLoader (also known as Formbook) malware. This malware is an information stealer that is typically delivered via phishing emails. It should be a lucrative malware for Revolver Rabbit given its investments in domain names. That Revolver Rabbit RDGA was linked to an established malware after months of tracking highlights the importance of understanding RDGAs as a technology in a threat actor’s toolkit.

The landscape study shows that RDGA attacks pose a massive and underappreciated threat. Threats can easily scale spam, malware, and phishing operations often without fear of detection by the security industry. Furthermore, automation in domain registration services makes it easier for cybercriminals to use RDGA attacks. The purpose of the study is to raise awareness and shed light on the growing trend of malicious domain registrations.

APDR_728X90 Bulletin


For editorial inquiries, please contact:
Editor Kim Bergman in Kim Bergman@venturamedia.net

For advertising inquiries please contact:
Group Sales Director Simon Hadfield at simon.hadfield@venturamedia.net

Leave a Reply

Your email address will not be published. Required fields are marked *