The notorious Revolver Rabbit cybercriminal group has ramped up its operations, registering over 500,000 domain names to facilitate its widespread infostealer campaigns targeting Windows and macOS systems. The scale of this operation is unprecedented, leveraging advanced registered domain generation algorithms (RDGAs) to automate the mass registration of domains.
RDGAs represent a sophisticated evolution of the domain generation algorithms commonly embedded in malware. While DGAs generate potential command and control (C2) communication destinations, only a fraction of these domains are registered.
In contrast, RDGAs allow cybercriminals to register all generated domains, significantly complicating detection and mitigation efforts for cybersecurity professionals.
“While traditional DGAs are used exclusively for connection to a malware controller, RDGAs can be used for a wide range of purposes including malware, phishing, spam, scams, gambling, traffic distribution systems (TDS), virtual private networks (VPNs), or essentially any activity that benefits from having large numbers of domain names,” explained researchers.
Researchers uncovered Revolver Rabbit’s extensive use of RDGAs, revealing that the group has invested over $1 million in domain registration fees. This massive investment underpins the distribution of the XLoader malware, a powerful info-stealing tool and successor to the notorious Formbook malware.
Upon further investigation, researchers discovered that Revolver Rabbit controls more than 500,000 .BOND top-level domains (TLDs) are utilised to establish decoy and active C2 servers.
“The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash,” researchers observed. “When multiple dictionary words are used, they usually form coherent phrases rather than appearing completely random.”
Sometimes, the threat actors also use ISO 3166-1 country codes, full country names, or year numbers in prefixes or suffixes. For instance, ai-courses-12139[.]bond, app-software-development-training-52686[.]bond, ai-courses2023in[.]bond, and app-software-development-training-57549[.]bond.
In other examples, researchers showcased how Revolver Rabbit uses two dashes in a row or replaces the standard five-digit suffix with one or two digits. For example, online-degrees-16099[.]bond, river-cruises-13890[.]bond, and welding-machines-35450[.]bond, among others.
The .BOND domains are the most visible. However, researchers believe that Revolver Rabbit has more than 700,000 domain names. Also, domains such as “usa-online-degree-29o[.]bond” and “uk-river-cruises-8n[.]bond” exemplify the diverse and seemingly benign nature of these registered domains, which serve to obfuscate malicious intent, researchers told BleepingComputer.
Revolver Rabbit’s extensive use of RDGAs underscores a critical challenge for cybersecurity researchers. Unlike traditional DGAs, RDGAs do not leave a predictable pattern that can be reverse-engineered, making it hard for researchers to block or track malicious activities preemptively.
“The key takeaway from these statistics is that there are so many RDGA domains being registered that the security industry will never be able to research them all. It can take months for human researchers to understand a threat to the point that they can publish on it, but it only takes a day for RDGA actors to register tens of thousands of new domains for researchers to investigate,” cautioned researchers.
In the News: OpenAI debuts lighter and cheaper GPT-4o Mini for developers
