New DGA Variants Spotted in Attacks

Researchers at endpoint security firm Cybereason have identified several new domain generation algorithm (DGA) variants currently used by malware and exploit kits.

In an effort to make their operations more difficult to disrupt, threat actors have been increasingly using DGAs to generate domain names for their command and control (C&C) servers. Some pieces of malware rely on DGAs that can generate thousands of domains every day and each of them is only active for a short period of time.

Security firms often try to figure out how a certain DGA works in an effort to predict domain names and ensure that their products block them. While this method has had some success, Cybereason now claims it has found a way to detect DGAs and malicious activity associated with them by looking for specific behavior.

“Instead of undertaking the Sisyphean task of fighting each DGA variant, a better approach would be to look for common techniques used by DGAs. Just detecting a DGA incriminates a process as malicious since no legitimate process will ever use such a technique,” explained Uri Sternfeld, research team leader at Cybereason.

The company says it has used its novel technique to identify dozens of DGAs used in attacks affecting its customers, and it has published a report detailing eight of the more interesting ones, including what researchers believe to be new variants.

For instance, Cybereason has identified a piece of malware with Russian origins that uses a DGA designed to generate 35 .ru or .com domains per day. The domains are generated using seven random letters preceded by the string “five” and a number (e.g. five14.lzeaeac.ru). A similar variant generates domain names with the string “pop” and without numbers (e.g. pop.imvhhht.ru).

Another apparently new DGA has been used by an unidentified piece of malware that injects the svchost.exe process. The DGA generates a random value for a DWORD (32-bit unsigned integer) variable and converts it to a hexadecimal string which represents the domain name. The domains are hosted on the .com, .net or .info TLDs (e.g. 04F645A5.COM).

A different unknown piece of malware uses a DGA which generates domains using long, randomly-generated strings that look like Punycode.

The Angler exploit kit has been known to use DGAs, but Cybereason researchers believe its authors might have turned to a new variant that generates .com domain names using random characters and digits.

DGAs often create domain names using combinations of random words from predefined lists. A variation of this method, spotted by experts in Dridex banking Trojan attacks, involves breaking, shifting and padding the words with random characters. The names are generated for Mongolia (.mn) and Montenegro (.me) TLDs.

The DGA used by the Necurs backdoor is also interesting as it generates random names that are 8-20 characters in length on exotic TLDs, such as .im (Isle of Man), .ga (Gabon), .sc (Seychelles), .tu (Tuvalu), and .nu (Niue).