Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New DGA Variants Spotted in Attacks

Researchers at endpoint security firm Cybereason have identified several new domain generation algorithm (DGA) variants currently used by malware and exploit kits.

Researchers at endpoint security firm Cybereason have identified several new domain generation algorithm (DGA) variants currently used by malware and exploit kits.

In an effort to make their operations more difficult to disrupt, threat actors have been increasingly using DGAs to generate domain names for their command and control (C&C) servers. Some pieces of malware rely on DGAs that can generate thousands of domains every day and each of them is only active for a short period of time.

Security firms often try to figure out how a certain DGA works in an effort to predict domain names and ensure that their products block them. While this method has had some success, Cybereason now claims it has found a way to detect DGAs and malicious activity associated with them by looking for specific behavior.

“Instead of undertaking the Sisyphean task of fighting each DGA variant, a better approach would be to look for common techniques used by DGAs. Just detecting a DGA incriminates a process as malicious since no legitimate process will ever use such a technique,” explained Uri Sternfeld, research team leader at Cybereason.

The company says it has used its novel technique to identify dozens of DGAs used in attacks affecting its customers, and it has published a report detailing eight of the more interesting ones, including what researchers believe to be new variants.

For instance, Cybereason has identified a piece of malware with Russian origins that uses a DGA designed to generate 35 .ru or .com domains per day. The domains are generated using seven random letters preceded by the string “five” and a number (e.g. five14.lzeaeac.ru). A similar variant generates domain names with the string “pop” and without numbers (e.g. pop.imvhhht.ru).

Another apparently new DGA has been used by an unidentified piece of malware that injects the svchost.exe process. The DGA generates a random value for a DWORD (32-bit unsigned integer) variable and converts it to a hexadecimal string which represents the domain name. The domains are hosted on the .com, .net or .info TLDs (e.g. 04F645A5.COM).

A different unknown piece of malware uses a DGA which generates domains using long, randomly-generated strings that look like Punycode.

Advertisement. Scroll to continue reading.

The Angler exploit kit has been known to use DGAs, but Cybereason researchers believe its authors might have turned to a new variant that generates .com domain names using random characters and digits.

DGAs often create domain names using combinations of random words from predefined lists. A variation of this method, spotted by experts in Dridex banking Trojan attacks, involves breaking, shifting and padding the words with random characters. The names are generated for Mongolia (.mn) and Montenegro (.me) TLDs.

The DGA used by the Necurs backdoor is also interesting as it generates random names that are 8-20 characters in length on exotic TLDs, such as .im (Isle of Man), .ga (Gabon), .sc (Seychelles), .tu (Tuvalu), and .nu (Niue).

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.