DGAs
Domain Generation Algorithms (DGAs) allow threat actors to construct and register unique domains very quickly for malicious purposes such as phishing campaigns or malware command and control (C2) that evades filtering. Because DGA domains are generated semi-randomly, they have proven difficult to block using blocklists of known “bad” domains. DGA domains for the most part are limited only by the DGA operator’s ability to generate domains and register them through registrars.
Note: The term “DGA” technically means the algorithm itself, but is also commonly used to refer to a domain that is generated by a DGA. This document mixes both uses.
DGA domains can serve as infrastructure for various types of other abuse and misuse. For example, in a SMS/text messaging campaign, they can be used as the initial link in the message, as part of a redirect farm, or as the endpoint holding the phishing content.
A DGA domain may or may not consist of random letters or numbers. For example, a DGA could append letters or numbers to a string, a word list, etc. DGAs can also potentially evade detection by using dictionary words in English or words from other languages instead using random mix of letters and numbers (for example, carhorsebatterystaplehousewindow.example could be a generated domain).
DGAs are listed as a technique for C2 traffic in MITRE ATT&CK T1568.002:
“Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions…
“Adversaries may use DGAs for the purpose of Fallback Channels. When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control”