If you’ve been keeping up with recent cybersecurity headlines, you’ve undoubtedly seen, heard, or read something about companies like SolarWinds, FireEye, or Microsoft, among many others, being attacked by an unidentified threat actor. Although not the first, this threat actor creates sub-domains for its SUNBURST virus using an intriguing method in order to access the target systems’ next stage of execution.

When an attacker uses a DGA, the outcome enables the attacker to completely avoid detection or get around blocklists and IP blocking. Attackers can easily change domains, avoid security precautions and restrictions, and hinder domain takedowns and seizures, as was the case with Microsoft and TrickBot.¹ The reason why the DGAs work is because the virus only needs to connect to one of the randomly generated addresses in order to be successful, allowing attackers to quickly set up domains and control panels. The programme tries to beacon home for all of the randomly produced addresses.

Although the history of DGAs and their applications is quite brief, it is, to put it mildly, an interesting history. The Kraken malware family is the first (at least known) malware family to use a domain generation algorithm. Researchers found that the Kraken virus evolved in 2008 to include pseudo-random domains that it created on its own. A sample of the Kraken virus that ThreatExpert.com examined is available on their blog2.
Kraken Malware’s Domain Generation Algorithm (ThreatExpert)

Walking through the assembly code reveals that the domain is created by a seeded algorithm that produces a complete URL with a random string of vowels and consonants that, due to the shift in letters, almost exactly resembles English grammar and word structure. A domain suffix is added to the end of the generated random “word” before it attempts to connect to the command and control (C2) server to obtain its subsequent set of instructions from the control panel. Researchers at ThreatExpert made a list of every potential domain that may be generated by the algorithm because it was seeded and entirely reverse-engineered from the malicious code.

Examples of this DGA are as follows:

zaljljiebm[.]yi[.]org xdpdrrzrtmy[.]dynserv[.]com vnlxpriemei[.]mooo[.]ctom tqorwrzimvsz[.]dyndns[.]org saklurivevc[.]yi[.]org qdofarzixnna[.]mooo[.]com gnkhyrimpn[.]com and many more.

The Zeus family of malware is yet another instance of malware that uses DGA techniques in its code. Banks and other financial organisations are the targets of the botnet Zeus. The botnet can run virtually undetectably to the average user and absence of a proper EDR or anti-virus or malware solution because it is transmitted via emails and infected websites. The DGA technique used by the malware is one of the reasons it is able to remain essentially unnoticed. The malware, which is generated at random, tries a number of random domains until it receives an appropriate response, at which point it moves on to the next command or stage from the C2 server. One of the six TLDs of.biz,.com,.net,.org, or.info and a 33-45 character pseudo-random string of alphanumeric characters inserted before the TLD that was chosen make up the actual operation of the Zeus malware, specifically Zeus.V3. The FBI, like Microsoft, made an effort to shut down C2 servers and domains associated with the Zeus malware. However, because the server addresses were chosen at random, the attackers can only rely on the.ru TLD domain until they can produce more of the other 5 TLDs that were previously used, assuming the FBI is successful in obtaining all of them. The FBI will then return to step 1 and try to halt the malware’s functioning.

The threat actor who compromised the Orion platform from SolarWind’s supply chain in more recent times developed a robust DGA algorithm for C2 communications. The SUNBURST DGA algorithm, for instance, creates a domain like:

04r0rndp6aom5fq5g6p1[.]appsync-api[.]us-west-2[.]avsvmcloud[.]com

The RedDrip team recently made a finding that allowed them to start decoding the domain generation method utilised in the SolarWinds hack. It is a tad trickier than the DGA of the Kraken malware. Two separate techniques are used in the domain generation to produce the domains.

There are a few key components to the first method. The two main components are the unique GUID, which is a hash of the hostname and MAC address of the current host, and the malware payload, which is a simple alphabet substitution and shift encoding of the hostname. It also uses a substitution table (“rq3gsalt6u1iyfzop572d49bnx8cvmkewhj”) that shifts the characters 4 from wherever the given character is found on the table. The only difference between this substitution pattern and a “Caesar Cipher”5 is that it additionally uses a substitution table in addition to the shift.

The second technique uses a Base64 encoding strategy with a different hardcoded key for its unique alphabet (“ph2eifo3n5utg1j8d94qrvbmk0sal76c”) and the distinctive GUID that was previously specified. The virus chooses which strategy to employ based on the domain name of the target hosts and whether it contains lower-case (first method) or upper-case (second method) letters6.

There are numerous techniques to construct a domain that can be utilised for C2 communications and much more, as can be seen in the algorithms given as examples in this post. DGA can be employed in malware as easily as the Kraken virus or as intricately as the recently discovered SUNBURST malware. Given how quickly and uniquely these algorithms can generate domain names and URLs, there is no limit to what they may produce.