Date: 09/23/2024
Severity: Medium
Summary
Revolver Rabbit primarily utilizes .bond TLDs, although we also observed the use of .com and .click TLDs. Additionally, we found that Revolver Rabbit is generating revenue through cash parking, a strategy that involves earning income from advertisements displayed on parked pages of registered domains.
Indicators of Compromise (IOC) List
URL/Domain | car-deals-10306.bond faucets-36296.bond restaurant-jobs-35982.bond age-spot-treatment-57024.com age-spot-treatment-74517.com smart-beds-24582.com age-spot-treatment-76122.com cruise-jobs-69800.bond all-inclusive-vacations--17972.com hotel-management-degrees-22938.bond trucks-34249.bond https://www.electric-cars-78398.bond/?backfill=0 work-in-usa-98040.bond used-cars-33486.com altenheimplaetzedeu.click wireless-security-23567.bond america-buy-suvs.click loans-credits-87651.bond window-repair-90601.bond all-inclusive-vacations--13359.com all-inclusive-vacations--48597.com |
Hash |
f3b25ff7dc9cfcab029413dbaab77efdb5017d72ff5c0cc4d88769de1def78a6
37505f85de087190cb5257ebe6c4e48726a946d23da71264ae5d670050903bb4 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
URL/Domain | sha256hash IN ("f3b25ff7dc9cfcab029413dbaab77efdb5017d72ff5c0cc4d88769de1def78a6","37505f85de087190cb5257ebe6c4e48726a946d23da71264ae5d670050903bb4") |
Hash |
userdomainname like "car-deals-10306.bond" or url like "car-deals-10306.bond" or userdomainname like "faucets-36296.bond" or url like "faucets-36296.bond" or userdomainname like "restaurant-jobs-35982.bond" or url like "restaurant-jobs-35982.bond" or userdomainname like "age-spot-treatment-57024.com" or url like "age-spot-treatment-57024.com" or userdomainname like "age-spot-treatment-74517.com" or url like "age-spot-treatment-74517.com" or userdomainname like "smart-beds-24582.com" or url like "smart-beds-24582.com" or userdomainname like "age-spot-treatment-76122.com" or url like "age-spot-treatment-76122.com" or userdomainname like "cruise-jobs-69800.bond" or url like "cruise-jobs-69800.bond" or userdomainname like "all-inclusive-vacations--17972.com" or url like "all-inclusive-vacations--17972.com" or userdomainname like "hotel-management-degrees-22938.bond" or url like "hotel-management-degrees-22938.bond" or userdomainname like "trucks-34249.bond" or url like "trucks-34249.bond" or userdomainname like "https://www.electric-cars-78398.bond/?backfill=0" or url like "https://www.electric-cars-78398.bond/?backfill=0" or userdomainname like "work-in-usa-98040.bond" or url like "work-in-usa-98040.bond" or userdomainname like "used-cars-33486.com" or url like "used-cars-33486.com" or userdomainname like "altenheimplaetzedeu.click" or url like "altenheimplaetzedeu.click" or userdomainname like "wireless-security-23567.bond" or url like "wireless-security-23567.bond" or userdomainname like "america-buy-suvs.click" or url "america-buy-suvs.click" or userdomainname like "loans-credits-87651.bond" or url "loans-credits-87651.bond" or userdomainname like "window-repair-90601.bond" or url "window-repair-90601.bond" or userdomainname like "all-inclusive-vacations--13359.com" or url like "all-inclusive-vacations--13359.com" or userdomainname like "all-inclusive-vacations--48597.com" or url like "all-inclusive-vacations--48597.com" |
Reference:
https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-20-IOCs-for-Revolver-Rabbit-RDGA.txt
https://blogs.infoblox.com/threat-intelligence/rdgas-the-next-chapter-in-domain-generation-algorithms/
https://www.bleepingcomputer.com/news/security/revolver-rabbit-gang-registers-500-000-domains-for-malware-campaigns/
https://www.cybervergent.com/articles/the-revolver-rabbit-saga