| ID | Name |
|---|---|
| T1568.001 | Fast Flux DNS |
| T1568.002 | Domain Generation Algorithms |
| T1568.003 | DNS Calculation |
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.[1][2][3]
DGAs can take the form of apparently random or "gibberish" strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.[1][2][4][5]
Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.[4][6][7]
| ID | Name | Description |
|---|---|---|
| G0096 | APT41 | |
| S0456 | Aria-body |
Aria-body has the ability to use a DGA for C2 communications.[9] |
| S0373 | Astaroth | |
| S0534 | Bazar |
Bazar can implement DGA using the current date as a seed variable.[11] |
| S0360 | BONDUPDATER |
BONDUPDATER uses a DGA to communicate with command and control servers.[12] |
| S0222 | CCBkdr |
CCBkdr can use a DGA for Fallback Channels if communications with the primary command and control server are lost.[4] |
| S0023 | CHOPSTICK |
CHOPSTICK can use a DGA for Fallback Channels, domains are generated by concatenating words from lists.[7] |
| S0608 | Conficker |
Conficker has used a DGA that seeds with the current UTC victim system date to generate domains.[13][14] |