Threat Actors Modify DGA Patterns to Enhance C2 Communication

Say hello to Domain Generation Algorithms (DGAs), a tool malicious actors have been targeting our cybersecurity with. San Francisco Bay Area techies, this one goes out to you. Have you ever thought about the role of domain names in a malicious attack? It’s easy to overlook, but it turns out they’re a meeting point for malware Command and Control servers. Pretty complex, right?

Let’s jump right in! DGAs have been making waves in the cyber world, keeping security professionals on their toes. What’s fascinating (and honestly, a little scary) is that these DGAs generate a whole lot of domain names, which morph and proliferate like Hydra heads. Each new domain offers a potential sanctuary for malware, making it increasingly tough to track and block them during nasty cyberattacks.

Now, our cybersecurity professionals are sharp lot, no doubt about it. But it recently came to notice that the proverbial bad guys, these threat actors, are playing chess, not checkers. They’ve been fiddling around with DGA patterns, transforming their Command to Control (C2) communication to make it harder for our cybersecurity pros to analyze their strategy.

Talk about a wild chase! An infected device latches on to any domain cooked up by a DGA. When you’ve got a botnet churning out, say, 500 domains a day, the infected device is trying to connect to all of them, while the attacker just needs one to take control. These rapid-fire changes make the blocking attempts a genuine brain teaser for researchers, especially since these domains usually end up looking completely random, and they creep in through cheap Top Level Domains (TLDs).

Before the era of DGAs, cyberattackers would stick with hardcoded domains for C2 communication. But with the evolution of DGAs, it’s been simplified for them, allowing for even broader advents like DDoS attacks, cryptomining, espionage, email fraud, and much, much more.

In the DGA world, we see two clear types: the statically and dynamically seeded ones. With static seeds, we get consistent domains that, once spotted and reverse-engineered, are promptly blocked. Dynamic DGAs, however, merit a raised eyebrow. They lean on time-based seeds, which make predicting their domain names that much more elusive. Security researchers can forecast domains generated by date-based seeds, but others that use unpredictable factors, well, those are the tricky ones.

These intricacies came to light recently when some odd behavior was detected in dynamically seeded DGAs. Both the Pushdo and Necurs malware families were misbehaving, generating malicious domains way ahead (and way after) of their expected dates.

So, you see, our cybersecurity teams have quite a task at hand. They must continually separate the wheat from the chaff, threading the needle in an ever-evolving landscape of cyber threats. And yes, it’s indeed a significant chip on their shoulders, but then again, there’s never a dull moment in cybersecurity. Challenge accepted! Stay in the loop with all things cybersecurity, you don’t want to miss a beat. And here’s to the good guys! Be safe out there.

by Morgan Phisher | HEAL Security