| ID | B0031 |
| Objective(s) | Command and Control |
| Related ATT&CK Techniques | Dynamic Resolution: Domain Generation Algorithms (T1568.002) |
| Version | 2.0 |
| Created | 1 August 2019 |
| Last Modified | 21 November 2022 |
Malware generates the domain name of the controller to which it connects. Access to on the fly domains enables C2 to operate as domains and IP addresses are blocked. The algorithm can be complicated in more advanced implants; understanding the details so that names can be predicted can be useful in mitigation and response. [1]
The related Dynamic Resolution: Domain Generation Algorithms (T1568.002) ATT&CK sub-technique (oriented toward an adversary perspective with examples that include malware) was defined subsequent to this MBC behavior.
| Name | Date | Method | Description |
|---|---|---|---|
| Kraken | April 2008 | -- | Kraken uses a domain generating algorithm to provide new domains. [2] |
| Conficker | November 2008 | -- | Conficker uses a domain name generator. [3] |
| CryptoLocker | 2013 | -- | The malware sends a hash value generated from system information [[4]](#4 |
| Ursnif | 2016 | -- | Ursnif has used a Domain name generation algorithm in the past [5] |
[1] https://blog.malwarebytes.com/security-world/2016/12/explained-domain-generating-algorithm/
[2] http://blog.threatexpert.com/2008/04/kraken-changes-tactics.html
[3] https://en.wikipedia.org/wiki/Conficker
[4] https://www.secureworks.com/research/cryptolocker-ransomware
[5] https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality