The Next Level: Typo DGAs Used in Malicious Redirection Chains
Essential information
- Published
- 06/03/2025 12:31
- Modified
- 06/03/2025 15:41
- Tags
- 2025-03-06 dictionary dga newly-registered-domains typo dga
- Related entities
- 17 observables, 7 techniques (mitre)
Description
A new campaign leveraging newly registered domains (NRDs) and a novel variant of domain generation algorithms (DGAs) has been uncovered. The campaign used over 6,000 NRDs redirecting to domains resembling dictionary-based DGAs. These NRDs led to advertisements of potentially unwanted Android applications. Further investigation revealed 444,898 NRDs belonging to the same actor, redirecting to 178 domains exhibiting 'typo DGA' characteristics. This new pattern combines dictionary words with typographical errors, potentially designed to evade traditional detection methods. The campaign utilized shared WHOIS information, hosting infrastructure, and epoch timestamp subdomains for redirections. The findings highlight the need for advanced detection capabilities to combat evolving malicious techniques.