Connect with us

Hi, what are you looking for?


Malware & Threats

New DGA Variants Spotted in Attacks

Researchers at endpoint security firm Cybereason have identified several new domain generation algorithm (DGA) variants currently used by malware and exploit kits.

Researchers at endpoint security firm Cybereason have identified several new domain generation algorithm (DGA) variants currently used by malware and exploit kits.

In an effort to make their operations more difficult to disrupt, threat actors have been increasingly using DGAs to generate domain names for their command and control (C&C) servers. Some pieces of malware rely on DGAs that can generate thousands of domains every day and each of them is only active for a short period of time.

Security firms often try to figure out how a certain DGA works in an effort to predict domain names and ensure that their products block them. While this method has had some success, Cybereason now claims it has found a way to detect DGAs and malicious activity associated with them by looking for specific behavior.

“Instead of undertaking the Sisyphean task of fighting each DGA variant, a better approach would be to look for common techniques used by DGAs. Just detecting a DGA incriminates a process as malicious since no legitimate process will ever use such a technique,” explained Uri Sternfeld, research team leader at Cybereason.

The company says it has used its novel technique to identify dozens of DGAs used in attacks affecting its customers, and it has published a report detailing eight of the more interesting ones, including what researchers believe to be new variants.

For instance, Cybereason has identified a piece of malware with Russian origins that uses a DGA designed to generate 35 .ru or .com domains per day. The domains are generated using seven random letters preceded by the string “five” and a number (e.g. A similar variant generates domain names with the string “pop” and without numbers (e.g.

Another apparently new DGA has been used by an unidentified piece of malware that injects the svchost.exe process. The DGA generates a random value for a DWORD (32-bit unsigned integer) variable and converts it to a hexadecimal string which represents the domain name. The domains are hosted on the .com, .net or .info TLDs (e.g. 04F645A5.COM).

Advertisement. Scroll to continue reading.

A different unknown piece of malware uses a DGA which generates domains using long, randomly-generated strings that look like Punycode.

The Angler exploit kit has been known to use DGAs, but Cybereason researchers believe its authors might have turned to a new variant that generates .com domain names using random characters and digits.

DGAs often create domain names using combinations of random words from predefined lists. A variation of this method, spotted by experts in Dridex banking Trojan attacks, involves breaking, shifting and padding the words with random characters. The names are generated for Mongolia (.mn) and Montenegro (.me) TLDs.

The DGA used by the Necurs backdoor is also interesting as it generates random names that are 8-20 characters in length on exotic TLDs, such as .im (Isle of Man), .ga (Gabon), .sc (Seychelles), .tu (Tuvalu), and .nu (Niue).

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...