Security News > 2024 > July > Revolver Rabbit gang registers 500,000 domains for malware campaigns
A cybercriminal gang that researchers track as Revolver Rabbit has registered more than 500,000 domain names for infostealer campaigns that target Windows and macOS systems.
One difference between the two is that DGAs are embedded in the malware strains and only some of the generated domains are registered, yet RDGAs remain with the threat actor, and all domains are registered.
Researchers at DNS-focused security vendor Infoblox discovered that Revolver Rabbit has been using RDGAs to buy hundreds of thousands of domains, which amounts to more than $1 million in registration fees.
BOND top-level domains that are used to create both decoy and live C2 servers for the malware.
BOND domains related to Revolver Rabbit are the easiest to see but the threat actor has registered more than 700,000 domains over time, on multiple TLDs. Considering that the price of a.BOND domain is around $2, the "Investment" Revolver Rabbit made in their XLoader operation is close to $1 million, excluding past purchases or domains on other TLDs. "The most common RDGA pattern this actor uses is a series of one or more dictionary words followed by a five-digit number, with each word or number separated by a dash," Infoblox.
The researchers say that "Connecting the Revolver Rabbit RDGA to an established malware after months of tracking highlights the importance of understanding RDGAs as a technique within the threat actor's toolbox."