Revolver Rabbit Gang Registers 500,000 Domains for Malware Campaigns
Summary:
Researchers have identified a cybercriminal group known as Revolver Rabbit, which has registered over 500,000 domain names for infostealer campaigns targeting Windows and macOS systems. This operation relies on registered domain generation algorithms, enabling the automated registration of numerous domain names quickly. Unlike domain generation algorithms embedded in malware, RDGAs remain with the threat actors, making them more challenging for researchers to reverse engineer.
Infoblox, a DNS-focused security vendor, discovered that Revolver Rabbit has invested over $1 million in registering these domains, primarily for distributing the XLoader info-stealing malware. This malware, a successor to Formbook, targets both Windows and macOS systems to collect sensitive information or execute malicious files. Revolver Rabbit predominantly uses .BOND top-level domains, among others, for both decoy and live C2servers. The RDGA pattern used by Revolver Rabbit typically consists of dictionary words followed by a five-digit number, separated by dashes.
Security Officer Comments:
Infoblox has been tracking Revolver Rabbit for nearly a year, noting the use of RDGAs has obscured the group's objectives until recently. Multiple threat actors utilize RDGAs for various malicious operations, including malware delivery, phishing, spam campaigns, and scams, making RDGAs a significant tool in cybercriminal activities.
Suggested Corrections:
Domain Monitoring and Blocking:
Network Traffic Analysis:
Advanced Endpoint Protection:
User Education and Awareness:
Email Filtering:
Link(s):
https://www.bleepingcomputer.com/ne...isters-500-000-domains-for-malware-campaigns/
Researchers have identified a cybercriminal group known as Revolver Rabbit, which has registered over 500,000 domain names for infostealer campaigns targeting Windows and macOS systems. This operation relies on registered domain generation algorithms, enabling the automated registration of numerous domain names quickly. Unlike domain generation algorithms embedded in malware, RDGAs remain with the threat actors, making them more challenging for researchers to reverse engineer.
Infoblox, a DNS-focused security vendor, discovered that Revolver Rabbit has invested over $1 million in registering these domains, primarily for distributing the XLoader info-stealing malware. This malware, a successor to Formbook, targets both Windows and macOS systems to collect sensitive information or execute malicious files. Revolver Rabbit predominantly uses .BOND top-level domains, among others, for both decoy and live C2servers. The RDGA pattern used by Revolver Rabbit typically consists of dictionary words followed by a five-digit number, separated by dashes.
Security Officer Comments:
Infoblox has been tracking Revolver Rabbit for nearly a year, noting the use of RDGAs has obscured the group's objectives until recently. Multiple threat actors utilize RDGAs for various malicious operations, including malware delivery, phishing, spam campaigns, and scams, making RDGAs a significant tool in cybercriminal activities.
Suggested Corrections:
Domain Monitoring and Blocking:
- Monitor newly registered domains, especially those using common RDGA patterns.
- Block suspicious domains, particularly those with unusual TLDs like .BOND.
Network Traffic Analysis:
- Analyze network traffic for connections to known malicious domains or IP addresses.
- Implement DNS filtering to prevent access to malicious domains.
Advanced Endpoint Protection:
- Use advanced endpoint protection solutions that can detect and block infostealer malware like XLoader.
- Ensure all systems have up-to-date antivirus and antimalware software.
User Education and Awareness:
- Educate employees about the risks of phishing and other social engineering attacks that may lead to malware infection.
- Encourage users to avoid clicking on suspicious links or downloading attachments from unknown sources.
Email Filtering:
- Implement robust email filtering to detect and block malicious attachments and links.
Link(s):
https://www.bleepingcomputer.com/ne...isters-500-000-domains-for-malware-campaigns/