Suspicious DGA Domains, Discovered in DNS, Turn up in Malware Campaigns

Everyone wants to block threats before they are actively used in a malicious campaign. By detecting domains early, when we only know that they are suspicious based on our deep knowledge of DNS features and behavior, Infoblox is able to do exactly that. One of our newest patent pending algorithms, which searches for registered domains created by domain generation algorithms (DGAs), has been finding DNS infrastructure actors that support major efforts such as malvertising campaigns. While we don’t always know the “flavor” of the threats being spread via these networks, we can be highly confident in blocking them.

Another of our algorithms recently connected a large cluster of suspicious DGA domains to malware distribution. This detector, which searches for indicators associated with malicious files using living off the land (LotL) techniques, found a domain matching the Thor Scanner ruleset for a Chinese advanced persistent threat (APT) actor and the Sparkle payload. While the campaign ran in June 2023, the indicators had been detected and blocked by our suspicious registered DGA algorithm earlier, in March.

The actor or actors managing the domains had strategically aged them before leveraging them. They utilised dynamic DNS, which allows their IP addresses to change rapidly. All the IPs are hosted in China, and the associated files primarily have Chinese titles that translate to “Project 1” or are listed as “system.exe”. Our registered DGA detector had identified 29 simultaneously observed domains as part of a single DNS infrastructure, and every one of these domains was later associated with the malware campaign.

Upon finding this overlap between detections from different algorithms, we pivoted to a global data set and identified additional related domains based on key features, increasing the size of the actor’s DNS infrastructure to over 125 domains.

Most of the DGA domains in this article remain undetected in other vendor products, and only few are known as malicious. When organisations block indicators that are “suspicious” rather than confirmed malware, they are protected before the exact nature of the threat is known. Infoblox has observed that malvertising actors, including in VexTrio and Omnatuor, often use infrastructure such as this to deliver a range of malware, along with ads. For example, VirusTotal annotates these domains as media sharing and lists them as a top 1m domain, while in reality they deliver malware, scams, and even spearphishing campaigns. This is typical of large-scale malvertising networks using registered DGAs.

Since very early in 2022, Infoblox has actively monitored and documented a series of malicious campaigns that exploit a dictionary DGA (DDGA) to carry out scams and disseminate various types of harmful content such as riskware, spyware, adware, potentially unwanted programmes, and pornography. This particular attack network, which we call VexTrio, has widespread implications, impacting targets across multiple industries. VexTrio infrastructure was recently observed in compromised WordPress sites using DNS TXT records to redirect victims to support scams, according to new research by Sucuri Security. We have associated over 57,000 domains to VexTrio and new domains are added to the infrastructure regularly.

In addition to tracking the VexTrio infrastructure actor, Infoblox has also been monitoring the Omnatuor malvertising network. Similar to VexTrio, the Omnatuor infrastructure actor exploits vulnerabilities to effectively distribute riskware, spyware, and adware. Both actors employ an extensive infrastructure and leverage a wide-reaching network spanning across the globe. Our investigations have revealed the existence of more than 9,900 domains and 170 IP addresses associated with the original “seed” domain, omnatuor[.]com. And we have created DNS signatures to follow these two actors as well as the one behind the registered DGA cluster described above, and promote detected indicators from suspicious to malicious once their role and usage is known. For more information about Infoblox’s suspicious domain feeds, see our article Getting in Front of Threats.

In context, only a few short years ago, threat actors would embed these malicious DGA generators within the malware itself. Strategically, while they would generate many new domains with their algorithms, they would only register a small number of domains for use as command and control (C2). Today, larger quantities of registered domains are being generated almost at once, in support of various networks, often with both legitimate uses as well as being used for the distribution of malware.

For the complete list of the indicators relevant to our recent findings, see our GitHub repository.