Connect with us

Hi, what are you looking for?


Malware & Threats

DGA.Changer Malware Uses New Tricks to Throw Researchers Off Track

A new version of the DGA.Changer malware uses some new techniques to trick sandbox solutions and researchers, according to breach detection company Seculert.

A new version of the DGA.Changer malware uses some new techniques to trick sandbox solutions and researchers, according to breach detection company Seculert.

Seculert started monitoring DGA.Changer, a threat designed to download other malware onto infected systems, in 2013. This was one of the pieces of malware used by the malicious actors who breached the official PHP website in October 2013.

The security firm revealed in December 2013 that the threat, which had infected more than 6,500 devices, was attempting to evade detection by changing domain generation algorithm (DGA) seeds.

Seculert says malware authors have now made DGA.Changer even more difficult to detect by traditional sandboxes.

When it infects a system, the downloader checks the registry for disk artifacts that indicate the presence a virtual environment such as VMware and VirtualBox. If the presence of a sandbox is detected, the DGA seed is changed so that the malware communicates with a list of fake domains.

The cybercriminals don’t seem to be content only with preventing researchers and sandboxes from efficiently analyzing the threat. They have actually purchased some of the fake domains and pointed them to a server that is set up to serve an executable file. This file doesn’t do anything after being executed, but this tactic could throw researchers off track.

“The goal here seems to be to fool sandbox solutions and/or researchers into believing the malware is fully functional and downloading additional components,” Aviv Raff, CTO of Seculert, wrote in a blog post.

Advertisement. Scroll to continue reading.

The first variant of the new DGA.Changer was spotted in February, but several iterations have been released since, each with different initial and fake seeds.

“The discovery of this new version of DGA.Changer highlights yet again the limitations of ‘sandbox only’ prevention approaches and the need to complement them with post-infection analytics based detection techniques,” Raff said. “In the Spy vs. Spy world of cyber-security, the adversary is continuing to adapt to current defense techniques. Those of us in the cyber-threat defense business must continue to adapt as well.”

DGA.Changer is not the only piece of malware that features a clever DGA mechanism. The DGA of the Rovnix Trojan generates command and control (C&C) domains using random words from documents such as the United States Declaration of Independence and the GNU Lesser General Public License.

The Matsnu Trojan generates 24-character domain names using a combination of nouns and verbs entered by the attacker or taken from a predefined list.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...