Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New DGA Variants Spotted in Attacks

Researchers at endpoint security firm Cybereason have identified several new domain generation algorithm (DGA) variants currently used by malware and exploit kits.

Researchers at endpoint security firm Cybereason have identified several new domain generation algorithm (DGA) variants currently used by malware and exploit kits.

In an effort to make their operations more difficult to disrupt, threat actors have been increasingly using DGAs to generate domain names for their command and control (C&C) servers. Some pieces of malware rely on DGAs that can generate thousands of domains every day and each of them is only active for a short period of time.

Security firms often try to figure out how a certain DGA works in an effort to predict domain names and ensure that their products block them. While this method has had some success, Cybereason now claims it has found a way to detect DGAs and malicious activity associated with them by looking for specific behavior.

“Instead of undertaking the Sisyphean task of fighting each DGA variant, a better approach would be to look for common techniques used by DGAs. Just detecting a DGA incriminates a process as malicious since no legitimate process will ever use such a technique,” explained Uri Sternfeld, research team leader at Cybereason.

The company says it has used its novel technique to identify dozens of DGAs used in attacks affecting its customers, and it has published a report detailing eight of the more interesting ones, including what researchers believe to be new variants.

For instance, Cybereason has identified a piece of malware with Russian origins that uses a DGA designed to generate 35 .ru or .com domains per day. The domains are generated using seven random letters preceded by the string “five” and a number (e.g. five14.lzeaeac.ru). A similar variant generates domain names with the string “pop” and without numbers (e.g. pop.imvhhht.ru).

Another apparently new DGA has been used by an unidentified piece of malware that injects the svchost.exe process. The DGA generates a random value for a DWORD (32-bit unsigned integer) variable and converts it to a hexadecimal string which represents the domain name. The domains are hosted on the .com, .net or .info TLDs (e.g. 04F645A5.COM).

A different unknown piece of malware uses a DGA which generates domains using long, randomly-generated strings that look like Punycode.

Advertisement. Scroll to continue reading.

The Angler exploit kit has been known to use DGAs, but Cybereason researchers believe its authors might have turned to a new variant that generates .com domain names using random characters and digits.

DGAs often create domain names using combinations of random words from predefined lists. A variation of this method, spotted by experts in Dridex banking Trojan attacks, involves breaking, shifting and padding the words with random characters. The names are generated for Mongolia (.mn) and Montenegro (.me) TLDs.

The DGA used by the Necurs backdoor is also interesting as it generates random names that are 8-20 characters in length on exotic TLDs, such as .im (Isle of Man), .ga (Gabon), .sc (Seychelles), .tu (Tuvalu), and .nu (Niue).

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.