July 18, 2024 at 05:34PM
Cybercriminal group Revolver Rabbit has registered over 500,000 domain names using a secret method called RDGAs to execute infostealer campaigns targeting Windows and macOS systems. Security researchers at Infoblox discovered this large-scale operation, estimating over $1 million in registration fees. The domains use a consistent pattern for easy readability and cover various topics and regions.
Based on the meeting notes, it is clear that the cybercriminal gang identified as Revolver Rabbit has been using registered domain generation algorithms (RDGAs) to operate large-scale infostealer campaigns targeting Windows and macOS systems. The threat actor has registered over 500,000 domain names and relies on RDGAs, which enable the automated registration of multiple domain names in a short period.
One significant difference between RDGAs and domain generation algorithms (DGAs) commonly used in malware is that RDGAs are kept secret by the threat actor, and all the generated domains are registered, whereas only some of the domains generated by DGAs are registered. This has made it more challenging for researchers to identify the pattern for generating the domains registered by Revolver Rabbit.
The cybercriminals have been using RDGAs to buy hundreds of thousands of domains, resulting in over $1 million in registration fees. They have been distributing the XLoader info-stealing malware, which has variants targeting both Windows and macOS systems to collect sensitive information or execute malicious files.
The domains registered by Revolver Rabbit are typically easy to read and focus on a wide variety of topics or regions. The most common RDGA pattern used by the threat actor consists of a series of dictionary words followed by a five-digit number, separated by a dash.
The threat intelligence by DNS-focused security vendor Infoblox has been tracking Revolver Rabbit for nearly a year but the use of RDGAs concealed the threat actor’s objective until recently. It has also been highlighted that multiple threat actors are using RDGAs for various malicious operations, including malware delivery, phishing, spam campaigns, scams, and routing traffic to malicious locations via traffic distribution systems. This emphasizes the importance of understanding RDGAs as a technique within the threat actor’s toolbox.
Overall, the meeting notes indicate the sophisticated and widespread use of RDGAs by Revolver Rabbit for malicious activities, underscoring the need for continued vigilance and understanding of evolving cyber threats.