Cybercrime Bonanza: Revolver Rabbit Registers 500,000 Domains for Malware Mayhem

Hot Take:

Looks like Revolver Rabbit is hopping mad in cyberspace, registering more domains than a real estate mogul on a buying spree. They’ve turned the internet into their personal playground, and it’s costing them a pretty penny—talk about a hare-raising investment!

Key Points:

• Revolver Rabbit gang registers over 500,000 domains for infostealer campaigns.
• They use Registered Domain Generation Algorithms (RDGAs) to automate domain registration.
• RDGAs differ from traditional DGAs, as all domains remain with the threat actor.
• Revolver Rabbit’s XLoader malware targets both Windows and macOS systems.
• Investment in these domains is close to $1 million, focusing heavily on .BOND TLDs.

Revolver Rabbit’s Domain Wonderland

In a plot twist straight out of a cyber-thriller, Revolver Rabbit has gone on a domain shopping spree, registering over 500,000 domains faster than you can say “cybercrime.” These domains are the playground for their XLoader malware, which is adept at stealing info from both Windows and macOS systems like a digital kleptomaniac. If there’s a cyber equivalent of “Keeping Up with the Kardashians,” Revolver Rabbit would definitely be the star, making waves with their extravagant spending on domains.

RDGAs: The Secret Sauce

What’s their secret weapon, you ask? Meet Registered Domain Generation Algorithms (RDGAs), the less-famous but more sinister cousin of DGAs. Unlike DGAs, where only some domains get registered, RDGAs keep all the domains within the family—like an overzealous hoarder on a reality TV show. This makes it trickier for cybersecurity researchers to track and predict the domains used by these cyber baddies. Imagine trying to catch a rabbit in a field full of identical rabbit holes; that’s the challenge researchers face with RDGAs.

Million-Dollar Bunny

Revolver Rabbit’s spending habits might make them the envy of the cyber underworld. They’ve dropped close to $1 million just on .BOND domains alone. And that’s not counting past purchases or other TLDs. If there were a Forbes list for cybercriminals, Revolver Rabbit would be on it, flashing their .BOND domains like they’re the latest in luxury accessories. They favor easy-to-read domains like “usa-online-degree-29o[.]bond” and “yoga-classes-35904[.]bond,” making their operation look almost…legit.

Connecting the Dots

Researchers at Infoblox have been tailing Revolver Rabbit for nearly a year, and the use of RDGAs kept the gang’s true intentions hidden until now. It’s like a cyber whodunit where the culprit finally gets unmasked. By linking the RDGAs to XLoader, Infoblox has unveiled the scale of Revolver Rabbit’s operation. The gang’s campaigns looked like isolated incidents until this revelation, showing just how sneaky these digital criminals can be. Sherlock Holmes would be proud.

More than Just a One-Trick Pony

Revolver Rabbit isn’t just sticking to malware. They’re diversifying their cyber portfolio with activities ranging from phishing and spam to scams and traffic distribution systems (TDSs). It’s like they’re running a full-fledged cybercrime enterprise. Multiple threat actors are hopping on the RDGA bandwagon, making it a go-to technique in the digital underworld. If cybercrime had a Wall Street, RDGAs would be the hot new stock everyone’s investing in.

All in all, Revolver Rabbit is a prime example of how cybercriminals are evolving, employing increasingly sophisticated techniques to stay ahead of the game. As researchers continue to unravel their tactics, we can only hope that these cyber bunnies’ luck runs out.