Document toolboxDocument toolbox

Infoblox Threat Actor Naming Conventions

Owned by Gary Leicht
Last updated: Sept 06, 2024
4 min read

Infoblox Threat Intel has begun releasing information about DNS threat actors. Some of these will be the subject of in-depth research papers, while others will only be available via our Infoblox Threat Defense products (Dossier, SOC Insights). This document describes our naming convention and serves as a source for reference. 

Why We Name

There are a lot of reasons to give threat actors names. It gives us a way to describe complex information in a concise way and it provides an identity around which we can associate an actor’s behavior. It also provides a foundation for us to create memorable creative elements to help promote our research externally and on our website; ultimately bolstering the Infoblox brand recognition and association with credible intel.

We specialize in the discovery of threat actors through DNS. Our naming goes through three phases based on how well we understand the actor and the network. 

  • Before we have developed an understanding of an actor, we typically give it a random name. This is common in the security industry and essentially indicates that we know a set of domain names or IP addresses are controlled by the same actor, but we haven’t formed a full picture of that actor and we typically don’t have automated tracking. 

  • We have several algorithms that automatically discover clusters of related domains. In this case, we have a high degree of confidence the domains are controlled by the same actor but the naming and discovery is entirely automated.  These names may have  some indication of the actor’s techniques, for example, rdga_4gkj57c would indicate an unknown actor using registered domain generation algorithm (RDGA) techniques. 

  • As we gain more understanding of the network and the actor’s techniques, tactics, and procedures (TTPs) we may assign an unpublished name. This could include indications of the purpose of the activity, e.g., chinese_investment_scam_45cv835, might indicate an actor running investment scams, using Chinese infrastructure. At this point, we are probably tracking the actor automatically but don’t know their full scope. 

  • Finally, when we are tracking an actor’s infrastructure and we have a good understanding of how they operate, we will give them a formal name that follows the guidance below. We may or may not publish research on this actor after this point in our research.  

Having names in each of these phases of maturing our understanding gives us a way to communicate and relate what we know at different points. 

In addition to DNS threat actors, we will create names for DNS toolkits that are used by multiple malware actors. For example, if a DNS data exfiltration or command-and-control (C2) system has a unique signature that we can track across different groups, we will give that toolkit a name. We don’t do this for generic malware or toolkits  – only for toolkits or malware that specifically abuse DNS for communication and are not well known by another name.

Naming Conventions

Descriptor 

(chosen by researcher)

Animal 

(predetermined per naming standards)

e.g., Muddling, Savvy, Decoy

e.g., Meerkat, Seahorse, Dog

  • DNS threat actor and toolkit names are two words, both of which start with the same letter. 

  • The second word indicates a primary DNS technique used by the actor at the time of naming.

  • The first word is chosen by the researcher, in collaboration with leadership. 

  • Actors often use multiple techniques and may fit more than one naming category. The primary researcher will decide, in collaboration with leadership, the category to use. 

  • Actors may change or add techniques. Names will not be changed. 

  • If there is a known industry name for the actor, Infoblox Threat Intel will use that name rather than create a new one.

Animal

Description

Examples

Dog

DNS C2 malware. Actors in this category use DNS to create a persistent communication link between compromised machines and a controller.  

Decoy Dog 

Puma

Malicious link shortener. Actors in this category create a traffic distribution system (TDS) through domains that act as link shorteners. A user has a short link which is redirected to the true destination.

Prolific Puma

Seahorse

DNS CNAME traffic distribution system (TDS) actor. Actors in this category are using CNAME records to create a TDS. The primary purpose of CNAME TDS is often to restrict access to websites or services to certain geographic locations and avoid detection. 

Savvy Seahorse

Meerkat

Open Resolver Exploitation. Actors in this category are leveraging DNS open resolvers for DDoS and reconnaissance. They may attempt to create Slow Drip DDoS attacks or have other motivations. We have seen these actors abuse MX records. 

Muddling Meerkat

Lizard

Lookalike actor. Actors in this category use lookalike domains as a primary vehicle to lure victims, typically for phishing. 

Loopy Lizard (formerly Open Tangle)

Rabbit

RDGA actor. Actors in this category register domains algorithmically. They differ from traditional DGAs in that all of the domains are registered. They may be used for a wide range of purposes including malware, phishing, scams, and spam.  

No published examples

Viper

TDS actor. The use of HTTP-based TDS systems, often in conjunction with DNS-based TDS control systems. These actors may use a TDS for affiliate programs or to create complex controls on content. These actors typically have a large-number of domains and render different content depending on user characteristics. 

VexTrio Viper (formerly VexTrio), Vigorish Viper