Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

DGA.Changer Malware Uses New Tricks to Throw Researchers Off Track

A new version of the DGA.Changer malware uses some new techniques to trick sandbox solutions and researchers, according to breach detection company Seculert.

A new version of the DGA.Changer malware uses some new techniques to trick sandbox solutions and researchers, according to breach detection company Seculert.

Seculert started monitoring DGA.Changer, a threat designed to download other malware onto infected systems, in 2013. This was one of the pieces of malware used by the malicious actors who breached the official PHP website in October 2013.

The security firm revealed in December 2013 that the threat, which had infected more than 6,500 devices, was attempting to evade detection by changing domain generation algorithm (DGA) seeds.

Seculert says malware authors have now made DGA.Changer even more difficult to detect by traditional sandboxes.

When it infects a system, the downloader checks the registry for disk artifacts that indicate the presence a virtual environment such as VMware and VirtualBox. If the presence of a sandbox is detected, the DGA seed is changed so that the malware communicates with a list of fake domains.

The cybercriminals don’t seem to be content only with preventing researchers and sandboxes from efficiently analyzing the threat. They have actually purchased some of the fake domains and pointed them to a server that is set up to serve an executable file. This file doesn’t do anything after being executed, but this tactic could throw researchers off track.

“The goal here seems to be to fool sandbox solutions and/or researchers into believing the malware is fully functional and downloading additional components,” Aviv Raff, CTO of Seculert, wrote in a blog post.

The first variant of the new DGA.Changer was spotted in February, but several iterations have been released since, each with different initial and fake seeds.

Advertisement. Scroll to continue reading.

“The discovery of this new version of DGA.Changer highlights yet again the limitations of ‘sandbox only’ prevention approaches and the need to complement them with post-infection analytics based detection techniques,” Raff said. “In the Spy vs. Spy world of cyber-security, the adversary is continuing to adapt to current defense techniques. Those of us in the cyber-threat defense business must continue to adapt as well.”

DGA.Changer is not the only piece of malware that features a clever DGA mechanism. The DGA of the Rovnix Trojan generates command and control (C&C) domains using random words from documents such as the United States Declaration of Independence and the GNU Lesser General Public License.

The Matsnu Trojan generates 24-character domain names using a combination of nouns and verbs entered by the attacker or taken from a predefined list.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.