Unit 42 researchers have uncovered a new malware campaign employing a novel technique: typo-squatting domain generation algorithms (DGAs). This tactic, dubbed “typo DGAs,” involves registering domains that mimic legitimate ones but contain intentional typographical errors, making them harder to detect by security systems.
The campaign, identified through Unit 42’s graph-intelligence based pipeline, utilized over 6,000 newly registered domains (NRDs) that redirected users to URLs advertising potentially unwanted Android applications. These NRDs, often consisting of alphanumeric strings of five to six characters, shared the same WHOIS information, linking them to a single threat actor.
“These NRDs redirected to 178 domains exhibiting dictionary DGA-like characteristics,” the report states. These 178 domains employed the typo DGA strategy, combining dictionary words with deliberate misspellings. An example provided is “pictidentifyive[.]pro,” likely a combination of “picture,” “identify,” and “five” with omitted letters.
The redirection process involved the use of epoch timestamps in subdomains, corresponding to observed redirection times. This suggests an automated and scheduled operation, with domain registrations and redirections triggered at specific times.
Further investigation revealed a vast network of 444,898 NRDs potentially linked to the same actor, redirecting to similar typo DGA domains. The landing pages often presented adult content and distributed potentially unwanted Android applications.
Unit 42 researchers noted: “The attacker registered several thousand domains over multiple weeks, followed by periods of reduced activity. The short lifespan of the landing pages and redirection behavior suggests a rapid domain turnover strategy.”
This campaign highlights the evolving tactics of threat actors, who constantly adapt their techniques to evade detection. The use of typo DGAs underscores the need for robust security solutions that can identify and flag suspicious domains, even with subtle variations from legitimate ones. Organizations and individuals should exercise caution when clicking on links or downloading applications, especially from unfamiliar sources.
