The Next Level: Typo DGAs Used in Malicious Redirection Chains

March 6, 2025, 3:41 p.m.

Description

A new campaign leveraging newly registered domains (NRDs) and a novel variant of domain generation algorithms (DGAs) has been uncovered. The campaign used over 6,000 NRDs redirecting to domains resembling dictionary-based DGAs. These NRDs led to advertisements of potentially unwanted Android applications. Further investigation revealed 444,898 NRDs belonging to the same actor, redirecting to 178 domains exhibiting 'typo DGA' characteristics. This new pattern combines dictionary words with typographical errors, potentially designed to evade traditional detection methods. The campaign utilized shared WHOIS information, hosting infrastructure, and epoch timestamp subdomains for redirections. The findings highlight the need for advanced detection capabilities to combat evolving malicious techniques.

External References

https://unit42.paloaltonetworks.com/typo-domain-generation-algorithms/
https://otx.alienvault.com/pulse/67c99585d7c820f0b592b5bd
Tags
2025-03-06
dictionary dga
typo dga
newly registered domains

Date

  • Created: March 6, 2025, 12:31 p.m.
  • Published: March 6, 2025, 12:31 p.m.
  • Modified: March 6, 2025, 3:41 p.m.

Indicators

  • https://1731804190472.gratsuccessfic.pro
  • https://121.y1ly6n.us
  • 121.y1ly6n.us
  • 1731804190472.gratsuccessfic.pro
  • zgi8ij.us
  • y1ly6n.us
  • xwc30.us
  • wnsukh.us
  • sloe2.us
  • pictidentifyive.pro
  • ord8w1.us
  • mg77bi.us
  • gratsuccessfic.pro
  • fdca5.us
  • everybodyform.pro
  • emesispushship.pro
  • brontalreadyture.pro
Download all indicators here!

Attack Patterns