Threat Actors Modify Malware DGA Patterns to Improve C2 Communication and Complicate Analysis

A Domain Generation Algorithm (DGA) creates numerous domain names, serving as meeting points for malware C&C servers.

DGAs help malware evade security measures by generating new, random domains, making it challenging for victims to block or remove them during cyberattacks.

Cybersecurity analysts at Akamai Security Intelligence Group recently identified that threat actors are actively altering the DGA patterns to improve C2 communication and complicate the analysis.

Akamai’s Security Intelligence Group analyzes DNS query logs from CacheServe DNS servers to track over 100 DGA families for botnet detection.

Security experts noted dynamically seeded DGAs behaving differently than expected, with domain names activating ahead of schedule.

Threat Actors Alter DGA Patterns

An infected device connects to any generated DGA domain, making it tough for researchers to disrupt C2 communication.

Consider a botnet with a DGA generating 500 domains daily. An infected device queries all, but the attacker needs control over just one. 

The seed changes create new domains, complicating blocking for researchers as they’re frequently random-looking and cheap TLDs. Besides this, the famous DGA families include:-

  • Conficker
  • Mirai
  • CryptoLocker

Prior to DGAs, malware hardcoded domains for communication with infected devices, such as botnets, crimeware, and ransomware, making them predictable targets.

DGAs enhanced C2 communication, fostering further development of:-

  • Distributed denial-of-service (DDoS) attacks
  • Cryptomining
  • Selling sensitive information from compromised devices
  • Spyware
  • Advertising and email fraud
  • Self-spreading of malware

There are two types of seeded DGAs, and below we have mentioned them:-

  • Statically seeded DGAs: Static seeds, like numbers or famous names, remain unchanged, generating consistent domains. Once reverse-engineered or discovered by researchers, they’re blocked, forcing malicious actors to change seeds for new domains.
  • Dynamically seeded DGAs: Dynamic DGAs use time-based seeds, making it difficult to predict domain names. Security researchers can anticipate domains generated by date-based seeds, enabling proactive blocking. However, unpredictable seeds like Google Trends or FX rates remain a challenge, even with access to the source code.

Examined DGA families

Here below, we have mentioned the DGA families that are discovered and examined by the cybersecurity analysts-

  • Pushdo
  • Necurs

Experts detected unusual behavior in dynamically seeded DGAs due to malicious actors modifying seeds. Pushdo and Necurs both generated malicious domains well before and after the expected dates, which is up to 50 days.

Malicious actors alter DGAs to evade detection and challenge security teams. Researchers must determine the reality from expectations to counter these malicious tactics and botnets.

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.