T1637.001 Domain Generation Algorithms
Adversaries may use Domain Generation Algorithms (DGAs) to procedurally generate domain names for uses such as command and control communication or malicious application distribution.2
DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.
| Item | Value |
|---|---|
| ID | T1637.001 |
| Sub-techniques | T1637.001 |
| Tactics | TA0037 |
| Platforms | Android, iOS |
| Version | 1.0 |
| Created | 05 April 2022 |
| Last Modified | 05 April 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S1067 | FluBot | FluBot can use Domain Generation Algorithms to connect to the C2 server.4 |
| S0485 | Mandrake | Mandrake has used domain generation algorithms.3 |
| S0411 | Rotexy | Rotexy procedurally generates subdomains for command and control communication.2 |
| S1055 | SharkBot | SharkBot contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.5 |
References
-
Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019. ↩
-
T. Shishkova, L. Pikman. (2018, November 22). The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019. ↩↩
-
R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020. ↩
-
Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023. ↩
-
RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023. ↩