Skip to content

T1568.002 Domain Generation Algorithms

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.123

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.1245

Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.467

Item Value
ID T1568.002
Sub-techniques T1568.001, T1568.002, T1568.003
Tactics TA0011
Platforms Linux, Windows, macOS
Permissions required User
Version 1.0
Created 10 March 2020
Last Modified 11 March 2022

Procedure Examples

ID Name Description
G0096 APT41 APT41 has used DGAs to change their C2 servers monthly.29
S0456 Aria-body Aria-body has the ability to use a DGA for C2 communications.17
S0373 Astaroth Astaroth has used a DGA in C2 communications.21
S0534 Bazar Bazar can implement DGA using the current date as a seed variable.32
S0360 BONDUPDATER BONDUPDATER uses a DGA to communicate with command and control servers.25
S0222 CCBkdr CCBkdr can use a DGA for Fallback Channels if communications with the primary command and control server are lost.4
S0023 CHOPSTICK CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.7
S0608 Conficker Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.2627
S0673 DarkWatchman DarkWatchman has used a DGA to generate a domain name for C2.19
S0600 Doki Doki has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.15
S0377 Ebury Ebury has used a DGA to generate a domain name for C2.2324
S0531 Grandoreiro Grandoreiro can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily.1213
S1015 Milan Milan can use hardcoded domains as an input for domain generation algorithms.16
S0051 MiniDuke MiniDuke can use DGA to generate new Twitter URLs for C2.22
S0508 Ngrok Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.20
S0150 POSHSPY POSHSPY uses a DGA to derive command and control URLs from a word list.6
S0650 QakBot QakBot can use domain generation algorithms in C2 communication.14
S0596 ShadowPad ShadowPad uses a DGA that is based on the day of the month for C2 servers.303129
S1019 Shark Shark can send DNS C2 communications using a unique domain generation algorithm.3316
S0615 SombRAT SombRAT can use a custom DGA to generate a subdomain for C2.18
G0127 TA551 TA551 has used a DGA to generate URLs from executed macros.3435
S0386 Ursnif Ursnif has used a DGA to generate domain names for C2.28

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Malware researchers can reverse engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.111 Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.5 Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost.
M1021 Restrict Web-Based Content In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.

Detection

ID Data Source Data Component
DS0029 Network Traffic Network Traffic Flow

References


  1. Sternfeld, U. (2016). Dissecting Domain Generation Algorithms: Eight Real World DGA Variants. Retrieved February 18, 2019. 

  2. Scarfo, A. (2016, October 10). Domain Generation Algorithms – Why so effective?. Retrieved February 18, 2019. 

  3. Unit 42. (2019, February 7). Threat Brief: Understanding Domain Generation Algorithms (DGA). Retrieved February 19, 2019. 

  4. Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018. 

  5. Liu, H. and Yuzifovich, Y. (2018, January 9). A Death Match of Domain Generation Algorithms. Retrieved February 18, 2019. 

  6. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. 

  7. ESET. (2017, December 21). Sednit update: How Fancy Bear Spent the Year. Retrieved February 18, 2019. 

  8. Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019. 

  9. Chen, L., Wang, T.. (2017, May 5). Detecting Algorithmically Generated Domains Using Data Visualization and N-Grams Methods . Retrieved April 26, 2019. 

  10. Ahuja, A., Anderson, H., Grant, D., Woodbridge, J.. (2016, November 2). Predicting Domain Generation Algorithms with Long Short-Term Memory Networks. Retrieved April 26, 2019. 

  11. Kasza, A. (2015, February 18). Using Algorithms to Brute Force Algorithms. Retrieved February 18, 2019. 

  12. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  13. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  14. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  15. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. 

  16. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. 

  17. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. 

  18. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  19. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. 

  20. Cimpanu, C. (2018, September 13). Sly malware author hides cryptomining botnet behind ever-shifting proxy service. Retrieved September 15, 2020. 

  21. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. 

  22. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  23. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. 

  24. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. 

  25. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. 

  26. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. 

  27. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021. 

  28. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. 

  29. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. 

  30. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021. 

  31. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. 

  32. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  33. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  34. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. 

  35. Secureworks. (n.d.). GOLD CABIN Threat Profile. Retrieved March 17, 2021.