{ "id": "ba59c4f9-61f3-4b20-a325-7541de905865", "created_at": "2026-04-06T00:09:00.353961Z", "updated_at": "2026-04-10T13:12:37.72104Z", "deleted_at": null, "sha1_hash": "cd1e4eea392a75457dc9de0535fe5e59f9b2200f", "title": "Bedep's DGA: Trading Foreign Exchange for Malware Domains", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 358244, "plain_text": "Bedep's DGA: Trading Foreign Exchange for Malware Domains\r\nBy By Dennis Schwarz\r\nPublished: 2015-04-21 · Archived: 2026-04-05 21:02:49 UTC\r\nThe Wayback Machine - https://web.archive.org/web/20150524032716/http://asert.arbornetworks.com:80/bedeps-dga-trading-foreign-exchange-for-malware-domains/\r\n- 04/21/2015\r\nAs initially researched by Trend Micro [1] [2], Zscaler [1] [2], Cyphort, and Malware don’t need Coffee, the\r\nBedep malware family focuses on ad / click fraud and the downloading of additional malware. ASERT’s first\r\nsample dates from September 22, 2014, which is in line with when Trend Micro started seeing it in their telemetry.\r\nIn early 2015, the family got some more attention when it was being observed as the malware payload for some\r\ninstances of the Angler exploit kit, leveraging the Adobe Flash Player exploit (CVE-2015-0311) which at the time\r\nwas a 0day. It was also observed that this newer version was using a domain generation algorithm (DGA) to\r\ngenerate its command and control (C2) domain names.\r\nThis post provides some additional notes on the DGA including a proof of concept Python implementation, a look\r\nat the two most recent sets of DGA generated domains, and concludes with some sinkhole data.\r\nSamples\r\nThe following Bedep samples were used for this research:\r\nMD5 e5e72baff4fab6ea6a1fcac467dc4351\r\nMD5 1b84a502034f7422e40944b1a3d71f29\r\nThe former was originally sourced from KernelMode.\r\nAlgorithm\r\nI’ve posted a proof of concept (read: works for me) Python implementation of the DGA to ASERT’s Github.\r\nAt the time of writing, I’m aware of two DGA configs. Each config contains three constants and a table of magical\r\ndwords used throughout the algorithm. The screenshot below highlights the table from the first sample:\r\nhttps://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/\r\nPage 1 of 5\n\nBedep’s DGA starts by downloading an XML file from:\r\nhttp://www.earthtools.org/timezone/0/0\r\nThis legitimate web service provides the time zone and local time at latitude zero and longitude zero. The\r\n\u003cutctime\u003e timestamp is parsed out and converted to milliseconds since year zero (0000-00-00). Then, 1-3 days are\r\nsubtracted from it (depending on tick count timing–this feels like an anti-analysis technique) and it is converted to\r\ndays since year zero. This value will be used in the next step.\r\nNext, Bedep downloads an XML file from:\r\nhttp://www.ecb.europa.eu/stats/eurofxref/eurofxref-hist-90d.xml\r\nThis legitimate file from the European Central Bank (ECB) contains the last 90 days of “Euro foreign exchange\r\nreference rates” and is updated daily. Each date is extracted from the \u003cCube time=”…”\u003e tags then the days since\r\nyear zero is calculated for “date minus one”. If the days since value is less than or equal to the value calculated in\r\nthe first step AND if it falls on a Monday, then the foreign exchange reference rates for “date” are extracted and\r\nused. Here’s a visual showing this process:\r\nhttps://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/\r\nPage 2 of 5\n\nAfter testing, my analysis reveals that Bedep updates using “last Tuesday’s” foreign exchange reference rates—\r\nwhere “last Tuesday” refers to “the preceding week’s Tuesday” until “this week’s Thursday”. After this, it means\r\n“this week’s Tuesday.”\r\nFrom here, the algorithm becomes a bit opaque. Various values such as “days since,” the first parsed currency’s\r\nabbreviation, the low dword of the first parsed currency’s rate, the magical dword values from the extracted table\r\n(noted above), and various other constant and calculated values are transformed a number of times. I wasn’t able\r\nto deduce the “big picture” of these transforms, so I’m treating them as a blackbox where the output is the number\r\nof domains to generate and three values that that will be used to calculate a modular exponent starting seed. If\r\nanyone has more details on this blackbox, please reach out!\r\nThe number of domains to generate is 22 for the first config and 28 for the second for a total of 50 domains per\r\nset. To generate each domain, the starting seed and foreign exchange reference rates are transformed a number of\r\ntimes to calculate the domain length and the domain characters themselves:\r\nhttps://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/\r\nPage 3 of 5\n\nThe minimum domain length is 12 and the maximum is 18. I’ve only seen “.com” TLDs so far.\r\nCampaign\r\nAt the time of writing and using the foreign exchange rates from 2015-04-07, here are the eight registered\r\ndomains from this set:\r\nagabovyxdgcbibu.com\r\nrbnfimetzgg9v.com\r\nwpqkvmpezecumbvl7.com\r\nvtvykahskh9m.com\r\nrpmrkmqyxplqitnyd.com\r\nakgsuqlnipxhwf.com\r\npdbfeobggolhbgbn.com\r\nnimyusfhqwizzgb.com\r\nThe first two were registered on 2015-04-13, the next two on 2015-04-11, then 2015-04-10, and the last two on\r\n2015-04-08. All of them used the following registrant info:\r\nThis info is inline with what Zscaler observed.\r\nUsing the foreign exchange rates from 2015-04-14, here are the domains registered out of the set, so far:\r\nprlvlpdeiopx.com (5.196.181.244)\r\ntqadnvxgppn1.com (5.196.181.244)\r\ngllmrtvteldx.com\r\nuydsqobdcmcxpdxng.com\r\nowwiloxvthttt1.com\r\ngcrnbgjlsgchu.com\r\nThe first two were registered on 2015-04-19, then 2015-04-17, and the last two on 2015-04-15. All six used the\r\nsame registrant noted above.\r\nSinkhole\r\nhttps://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/\r\nPage 4 of 5\n\nTo get a better idea of how active and widespread the above campaign is, we setup a sinkhole. The sinkhole was\r\nvmznlwrgtcnasmfhz.com and from 2015-04-13 13:47 UTC to 2015-04-16 17:06 UTC (about 3 days) it received\r\nphone homes from about 82,127 unique source IPs. The top 10 TLDs of the resolved source IPs were:\r\n1. net (31578)\r\n2. com (11952)\r\n3. de (3193)\r\n4. mx (2611)\r\n5. tr (2104)\r\n6. it (1521)\r\n7. pl (1500)\r\n8. fr (1440)\r\n9. br (1360)\r\n10. au (1247)\r\n11. ca (1107)\r\n12. jp (1054)\r\n13. es (769)\r\nAnd, except for Russia, infections were all over the map:\r\nConclusion\r\nThis post has taken a closer look at Bedep’s DGA and the recent campaign around it. Compared to some of the\r\nother date based DGAs we’ve looked at in the past, this algorithm is quite a bit more complicated and involved—\r\neffectively relying on the foreign exchange markets to generate its C2 domains. Based on the domain registration\r\nand sinkhole activity, Bedep is a current and active threat and will likely remain so for the foreseeable future.\r\nSource: https://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-doma\r\nins/\r\nhttps://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20150524032716/http://asert.arbornetworks.com/bedeps-dga-trading-foreign-exchange-for-malware-domains/" ], "report_names": [ "bedeps-dga-trading-foreign-exchange-for-malware-domains" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434140, "ts_updated_at": 1775826757, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cd1e4eea392a75457dc9de0535fe5e59f9b2200f.pdf", "text": "https://archive.orkl.eu/cd1e4eea392a75457dc9de0535fe5e59f9b2200f.txt", "img": "https://archive.orkl.eu/cd1e4eea392a75457dc9de0535fe5e59f9b2200f.jpg" } }