HQ/EMEAFind out how we can help your business
Revolver Rabbit, one of the most notorious cybercriminal rings, registered over half a million domain names for its infostealer campaigns that target Windows and macOS systems.
According to reports, the threat actors heavily relied on registered domain generation algorithms (RDGAs), automated methods for instantly registering many domain names, to operate the campaign successfully on a large scale.
RDGAs are similar to domain registration algorithms (DGAs), which cybercriminals commonly utilise in malware to generate a list of probable C2 communication destinations. However, one distinction between the two is that attackers implant DGAs in malware strains, and only some of the produced domains are registered. On the other hand, they can retain RDGAs and register all domains.
While researchers can discover DGAs and attempt to reverse engineer them to identify potential C2 domains, RDGAs are discreet, making it more difficult to determine the pattern for generating domains to register.
Revolver Rabbit caters to over 500,000 domains, earning millions in registration fees.
According to investigations, Revolver Rabbit has been utilising RDGAs to purchase hundreds of thousands of domains, totalling more than $1 million in registration fees.
This threat group also distributes the XLoader information-stealing virus, also known as the successor to Formbook. The group has also generated malware strains with variants for Windows and macOS-based devices that can harvest sensitive information or execute harmful files.
Revolver Rabbit controls over 500,000 BOND top-level domains that are used to host both decoy and live command-and-control servers for malware.
However, the researchers also believe that it could have owned numerous TLDs over the past few years since they only registered about 500,000 servers for the.BOND domains, while the group currently registered over 700,000 domains.
Hence, given that a.BOND name costs about $2, Revolver Rabbit’s “investment” in their XLoader malware operation could reach close to a million dollars, not counting previous acquisitions or domains in other TLDs.
Researchers claim that experts should consider linking the Revolver Rabbit RDGA to an established malware campaign since the various threat actors include it in their cybercrime arsenal.
