The Next Level: Typo DGAs Used in Malicious Redirection Chains
1 min read
Summary
A new form of malicious domain generation algorithm (DGA), which generates domain names by combining dictionary terms has been discovered by researchers at Palo Alto Networks’ Unit 42.
The purpose of this new variant, called typo DGA, is to avoid detection by security solutions by creating domain names that look like legitimate websites but include misspellings and deletions.
The typo DGA domains that were discovered during the course of the investigation all used the less common .pro top-level domain (TLD) and contained between 67 and 75 epoch timestamp subdomains, which when translated represented at least that number of distinct redirection events.
The timestamp subdomains suggest that the domain registrations and redirections might have been automated and scheduled to trigger at certain times of the day, potentially allowing the attacker to avoid detection.
The vast majority of the domains (444,898) studied resolved to the same IP address and were created over a relatively short period, suggesting a rapid domain turnover strategy.
