(gendigital.com) Group Theory in the Wild: A Deep Dive into Bedep Malware's Mathematically Sophisticated Domain Generation Algorithm

Bedep malware leveraged a mathematically advanced DGA using Euro FX rates from the European Central Bank, rendering C2 domains unpredictable until publication. This technique, rooted in group theory and number theory, significantly hindered preemptive sinkholing or blocking efforts.

In brief - Bedep, an ad-fraud botnet delivered via Angler EK (CVE-2015-0311), used a sophisticated DGA seeded with real-time ECB foreign exchange rates. This approach prevented pre-computation of C2 domains, complicating defensive measures. Active globally (excluding Russia), it infected ~82K IPs.

Technically - Bedep’s DGA fetches UTC time and ECB FX rates, parsing up to 48 currency values to seed a cyclic subgroup walk modulo large primes. Using precomputed primes (p) and subgroup orders (q), it performs modular exponentiation (seed = pow(seed, step, p)) to generate collision-free domains. Domains are constructed via multiply-XOR-shift operations on group elements, currency rates, and codes, producing 12–18 character .com domains. Seven config variants generated 50 domains weekly, each leveraging primitive root searches and smooth factorization of p-1.

Source: https://www.gendigital.com/blog/insights/research/the-group-theory-inside-bedeps-dga

#Cybersecurity #ThreatIntel