Exactly.

Based on what I understand, those that test malware do it in a VM logging and redirecting all queries to external domains, in order to identify possible command and control hosts.

As a response, malware writers add checks for nonexistent domains. If, say, 5 domains known to be fake suddenly start replying, then the malware assumes that it's being executed inside a VM and stops doing anything, in order not to give researchers any clues. This malware just happened to check a single domain.

Oh right, I was under the impression it checked the domains as a kill switch, not as a VM check? I.e if this domain is up and responding don't do anything.

As I could easily run it in a VM and not redirect any traffic

Edit: just read this ... In certain sandbox environments traffic is intercepted by replying to all URL lookups with an IP address belonging to the sandbox rather than the real IP address the URL points to, a side effect of this is if an unregistered domain is queried it will respond as it it were registered (which should never happen).

https://www.malwaretech.com/2017/05/how-to-accidentally-stop...

Does someone have more info on this? I didn't know VMs do this?

And why would they not then use randomly generated domain names, instead of hardcoding domains that could be registered?

The MalwareTech article that documents this best, https://www.malwaretech.com/2017/05/how-to-accidentally-stop... , uses Necurs as an example of a trojan that uses randomly generated domain names, so probably not at technical reason.