Infoblox Discovers The Million-Dollar Malware Machine – Revolver Rabbit’s RDGAs
Infoblox Threat Intel released a threat landscape study of the use of registered domain generation algorithms (RDGAs) by malicious actors. An RDGA differs from the traditional malware domain generation algorithm (DGA) in that all the domains are registered. Infoblox was the first to describe the technique back in October of 2023. RDGAs allow actors to scale their operations quickly and avoid detection. Since introducing the terminology, Infoblox has published research showing how RDGAs were used in malware, malicious link shorteners (Prolific Puma), and in traffic distribution systems (VexTrio Viper/Savvy Seahorse).
Infoblox Threat Intel has developed multiple algorithms to discover and track RDGAs in the wild, including patent-pending detection of emerging clusters of RDGA domains. With these detectors, Infoblox discovers tens of thousands of new domains every day, capturing them into clusters of actor-controlled assets. Most of these domains surprisingly go unnoticed by the security industry. In the new study of the RDGA threat landscape, Infoblox has found that the use of RDGAs has grown over the past few years and shows how domains created with them are used, including numerous examples from scams to malware.
The most remarkable example included is an RDGA controlled by the actor Infoblox named Revolver Rabbit. This actor has registered over 500,000 domains costing them over $1 million in registration fees. At the same time, discovering the purpose of these domains was a challenge. Infoblox Threat Intel has been tracking Revolver Rabbit for nearly a year but was stumped for months on the threat actor’s motivation. How can so many domains be registered without a trace of malicious activity? Recently Infoblox solved the puzzle: Revolver Rabbit uses the RDGA to create command and control (C2) and decoy domains for XLoader (aka Formbook) malware. This malware is an information stealer typically delivered via phishing emails. It must be a profitable malware for Revolver Rabbit given their investment in domain names. Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor’s toolbox.
The landscape study shows that RDGAs are a formidable and underestimated threat. Actors can easily scale their spam, malware, and scam operations often without fear of detection by the security industry. Moreover, automation in the domain registration services makes it easy for cybercriminals to use an RDGA. The intent of the study is to raise awareness and shed light on the growing trend in malicious domain registrations.