One sign of the increasing maturity of the cybercriminal economy is the fast-growing use of infostealers, a category of malware that, as its name suggests, is designed to gather and exfiltrate information from your system.
Malware-as-a-Service
Infostealer malware is typically quite sophisticated and complex. But, as with many kinds of ransomware, pretty much anyone can get their hands on it and use it. All it takes is a subscription to a Malware-as-a-Service (MaaS) provider, which can cost as little as $200 a month or $1,000 for a lifetime subscription.
These service providers increasingly advertise on the Dark Web, offering not just the malware, but also technical support and additional tools such as dedicated command-and-control servers that the subscriber can use to exfiltrate the data acquired by the infostealer malware.
And they are getting very, very popular.
Revolver Rabbit raises the bar
In another sign of the vast scale at which infostealers are being deployed—and of their increasing sophistication—Bleeping Computer reported in July that the cybercrime gang known as Revolver Rabbit has registered 500,000 domain names to be used in infostealer campaigns.
And they’re using registered domain generation algorithms (RDGAs) to accomplish this.
But what does that mean exactly? Well, traditional malware was created with one or more domain names hard-coded into it to be used for command-and-control (C2) and for exfiltration of stolen data. The problem with that strategy was that security researchers would soon discover what those domain names were and then add them to blocklists, effectively preventing the malware from phoning home and thereby rendering it useless.
Threat actors responded by replacing hard-coded domain names in malware with domain generation algorithms (DGAs). These algorithms can generate large numbers of domain names semi-randomly, the vast majority of which are not actual registered domains. So now the malware can bypass blocklists by generating new, alternative domain names to replace blocked ones.
But because those domains were mostly unregistered, the malware would send lots of DNS queries that would return a “non-existent domain” (NXDOMAIN) error message. This, in turn, would provide security personnel with a significant indicator of compromise, namely the large number of NXDOMAIN errors returned.
In addition, by studying the unregistered domain names causing NXDOMAIN errors, security researchers could also reverse-engineer the DGA being used and proactively block all potential domain names. And they could locate the few registered domain names and block those as well.
RDGAs take the concept a step further, by generating only registered domain names. This solves the problem of too many NXDOMAIN errors, and it lets threat actors very quickly register lots of domain names, which they can maintain over time until using them as part of a malware campaign.
A question of numbers
As recently as a year ago, if a DNS threat actor was found to have registered tens of thousands of domain names, it was considered a major commitment of resources to supporting malware campaigns. So, the revelation that Revolver Rabbit is holding registrations for half a million domain names—which costs real money—indicates just how rapidly the MaaS industry is growing.
Protect yourself
Infostealers can’t do you any harm unless (until) they get into your system. So, it’s important to do everything possible to prevent malware from penetrating your system.
First and foremost, ensure your users are well trained in identifying suspicious emails, ads, websites, and more. Infostealers are very often delivered by phishing emails, and by websites that advertise coupons, free movies, sweepstakes, and so on. Another common tactic is deceptive ads that make you think you’re downloading a useful piece of software such as a free video editor. A modern security-awareness training product such as Barracuda Security Awareness Training is very helpful in reducing this vulnerability.
As Christine Barry pointed out in an eye-opening post from last year, another common source of infection is the vast army of bots that is out there right now, probing your network to find any misconfigured, unpatched, or unmanaged applications and devices that can be exploited to gain a foothold. So, it’s also very important from a security standpoint to ensure that all your devices and software are up to date and correctly configured.
Advanced web application and API protection (WAAP) systems like Barracuda Application Protection can automate and accelerate this process significantly, as well as detecting and blocking malicious bots that seek to probe your network for vulnerabilities.