{ "Event": { "analysis": "1", "date": "2026-04-22", "extends_uuid": "", "info": "[Threat Intel] The Group Theory Inside Bedep's DGA", "protected": false, "publish_timestamp": "1779545311", "published": true, "threat_level_id": "3", "timestamp": "1779545310", "uuid": "9076a6d0-7aa9-4140-a149-576bc7e43f43", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Domain Generation Algorithms - T1568.002\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#ff841f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Application Layer Protocol - T1071\"", "relationship_type": "" }, { "colour": "#f5a258", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Native API - T1106\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#20f80d", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Command and Scripting Interpreter - T1059\"", "relationship_type": "" }, { "colour": "#bf6f24", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Dynamic Resolution - T1568\"", "relationship_type": "" }, { "colour": "#3780c6", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"User Execution - T1204\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#356c41", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Encrypted Channel - T1573\"", "relationship_type": "" }, { "colour": "#0aebeb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exploitation for Client Execution - T1203\"", "relationship_type": "" }, { "colour": "#07a4a1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Data Encoding - T1132\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#3970d7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Remote System Discovery - T1018\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#40fad1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Fallback Channels - T1008\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:malpedia=\"Bedep\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942009", "to_ids": false, "type": "link", "uuid": "a94fb098-ad58-4280-84ad-b844235728eb", "value": "https://www.gendigital.com/blog/insights/research/the-group-theory-inside-bedeps-dga", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1776942009", "to_ids": false, "type": "text", "uuid": "508f6639-3ad3-40d3-9f5a-6ee10ab154ca", "value": "Bedep was an ad-fraud botnet active from late 2014 through 2015, delivered through the Angler exploit kit. It employed an unusually sophisticated domain generation algorithm that used real foreign exchange rates from the European Central Bank combined with advanced group theory mathematics to generate command-and-control domains. Unlike typical DGAs that rely solely on date-based seeds, Bedep's algorithm fetched currency exchange rates and UTC timestamps from legitimate public sources, making future domains unpredictable until the data was published. The malware implemented mathematical concepts including cyclic groups, primitive root generators, and modular arithmetic to ensure collision-free domain generation. This unique approach made it significantly harder for defenders to pre-compute and block domains compared to conventional DGAs, as the exchange rates couldn't be predicted in advance." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1776942009", "to_ids": false, "type": "text", "uuid": "ed091c06-20f7-426e-9cfc-886687649d19", "value": "Name: The Group Theory Inside Bedep's DGA\nAuthor: AlienVault\nAdversary: \nTags: [\"domain generation algorithm\", \"angler exploit kit\", \"foreign exchange rates\", \"ad-fraud botnet\", \"cyclic groups\", \"cve-2015-0311\", \"group theory\", \"bedep\", \"angler\", \"dga\"]\nTgtd countries: []\nMlwr families: [\"Bedep\", \"Angler\"]\nAttack_ids: [\"T1568.002\", \"T1082\", \"T1071\", \"T1106\", \"T1016\", \"T1059\", \"T1568\", \"T1204\", \"T1027\", \"T1573\", \"T1203\", \"T1132\", \"T1071.001\", \"T1018\", \"T1105\", \"T1008\"]\nIndustries: []" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1776942009", "to_ids": false, "type": "vulnerability", "uuid": "c9ccea9f-4cdd-40d2-94b7-f43198dad4ee", "value": "CVE-2015-0311" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321080", "to_ids": true, "type": "domain", "uuid": "31636f1a-588a-4db8-8019-9f0b3c38ae9d", "value": "rrpohktjlscncqxvt3.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777321101", "to_ids": true, "type": "domain", "uuid": "f04b21f1-1759-4810-9941-c8460993e50f", "value": "wjavcjhazzxyxotkbi.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779545310", "uuid": "99e83abf-a202-405d-bce4-ded840329fb7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779545310", "to_ids": true, "type": "md5", "uuid": "755705e3-2fa2-4d79-8692-6d3239843580", "value": "e5e72baff4fab6ea6a1fcac467dc4351", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779545310", "to_ids": true, "type": "sha1", "uuid": "1feb31bd-cec2-426c-bc18-72a83741c7bb", "value": "07573bf29b43e721a7bb3e03c79018615e385a14", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779545310", "to_ids": true, "type": "sha256", "uuid": "f250a2b0-98d7-49c6-8909-d765b4462804", "value": "d0fb1b66b6e4da395892327be9f39adb4533e7759ace39f67bdde0bb1cdaef35", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1777312215", "to_ids": true, "type": "ssdeep", "uuid": "620b9015-943d-45ac-bc72-5e2614b9ab0d", "value": "3072:wvaAQia/cRNAMcahlBS3AvF+am7zR8nEv:OaAQ+NcahlqAv4b7qk" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1777312215", "to_ids": false, "type": "size-in-bytes", "uuid": "8e3706e5-7c79-4f42-af9e-704b2a848bbe", "value": "109484" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1777312215", "to_ids": true, "type": "vhash", "uuid": "b6f876ab-bba3-4248-9dc5-68ddf5609c06", "value": "1150366d1560a8z211z2541z67z22z331z1bz" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1777312215", "to_ids": true, "type": "filename", "uuid": "965417c1-e45f-42cb-a8f1-e46293e1ebf9", "value": "bedep_stage2.dll" }, { "category": "Other", "comment": "Checked: 28/04/2026\nLast-scan\t: 24/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1777312215", "to_ids": false, "type": "text", "uuid": "b147e241-c457-45b9-81d5-b6c2c87a4f93", "value": "Type Description: Win32 DLL\nMicrosoft: Backdoor:Win32/Bedep.A\nVT Total Detection:55/71\nFirst Submission:2015-01-02T08:23:08.000000+00:00\nLast Submission:2017-11-24T05:09:11.000000+00:00" } ] } ] } }