Revolver Rabbit (cyber group)

History

2024: Cyber Group Identification

On July 17, 2024, Infoblox specialists announced the identification of the Revolver Rabbit cyber group, which registered more than 500 thousand domain names for information theft campaigns. Attackers attack systems running Windows and macOS.

Revolver Rabbit members use a special RDGA (Registered Domain Generation Algorithm) mechanism to register a huge number of domains. The group spreads malicious software XLoader, which is the successor to Formbook. The malware is designed to collect confidential information or execute any code.

Freepik

The investigation found that Revolver Rabbit controls hundreds of thousands of.BOND top-level domains, which are used to create both false and active command servers for malware. Given that the price of the.BOND domain is about $2, the "investment" made by cybercriminals in their infrastructure reaches about $1 million. A typical RDGA pattern used by this grouping is one or more words from the dictionary, followed by a five-digit number, with each word or number separated by a hyphen. Such names are usually easy to read and often focus on specific topics or regions. As examples, experts cite the following domains:

· usa-online-degree-29o[.]bond;

· bra-portable-air-conditioner-9o[.]bond;

· uk-river-cruises-8n[.]bond;

· ai-courses-17621[.]bond;

· app-software-development-training-52686[.]bond;

· assisted-living-11607[.]bond;

· online-jobs-42681[.]bond;

· perfumes-76753[.]bond;

· security-surveillance-cameras-42345[.]bond;

· yoga-classes-35904[.]bond.

Cyber ​ ​ campaigns using RDGA include malware distribution, phishing, fraud, spam mailings, as well as redirecting traffic to malicious resources.^[1]

Notes