Infoblox Reveals RDGA Threat: $1M Investment in Domains by Revolver Rabbit

Infoblox Threat Intel has released a pivotal study on the escalating threat of Registered Domain Generation Algorithms (RDGAs). These advanced algorithms, which differ significantly from traditional Domain Generation Algorithms (DGAs), utilize fully registered domains to enhance the efficiency and stealth of cyber-attacks.

Infoblox, first identified RDGAs in October 2023. These algorithms allow cybercriminals to rapidly scale their operations and avoid detection. Since the introduction of this terminology, Infoblox has revealed how RDGAs have been employed in various malicious activities, including malware distribution, link shorteners like Prolific Puma, and traffic distribution systems such as VexTrio Viper/Savvy Seahorse.

The company has developed several innovative algorithms to detect and track RDGAs, including a patent-pending method for identifying emerging clusters of RDGA domains. Infoblox’s detection capabilities uncover tens of thousands of new RDGA-related domains daily, which are often overlooked by the broader security industry.

The latest study highlights a striking case: the threat actor known as Revolver Rabbit. This entity has registered over 500,000 domains, costing more than $1 million in registration fees. Initially, Infoblox struggled to understand the purpose of these domains. However, after nearly a year of investigation, it was revealed that Revolver Rabbit uses RDGAs to create command and control (C2) and decoy domains for XLoader (also known as Formbook) malware. This information-stealer malware is typically delivered through phishing emails, and the substantial investment in domain registrations underscores its profitability for Revolver Rabbit.

The study emphasizes the significant and often underestimated threat posed by RDGAs. These algorithms enable cybercriminals to expand their spam, malware, and scam operations with minimal risk of detection. The ease of automating domain registration further facilitates the misuse of RDGAs.

Infoblox aims to raise awareness of this growing threat and illuminate the increasing trend of malicious domain registrations.