A new version of the DGA.Changer malware uses some new techniques to trick sandbox solutions and researchers, according to breach detection company Seculert.
Seculert started monitoring DGA.Changer, a threat designed to download other malware onto infected systems, in 2013. This was one of the pieces of malware used by the malicious actors who breached the official PHP website in October 2013.
The security firm revealed in December 2013 that the threat, which had infected more than 6,500 devices, was attempting to evade detection by changing domain generation algorithm (DGA) seeds.
Seculert says malware authors have now made DGA.Changer even more difficult to detect by traditional sandboxes.
When it infects a system, the downloader checks the registry for disk artifacts that indicate the presence a virtual environment such as VMware and VirtualBox. If the presence of a sandbox is detected, the DGA seed is changed so that the malware communicates with a list of fake domains.
The cybercriminals don’t seem to be content only with preventing researchers and sandboxes from efficiently analyzing the threat. They have actually purchased some of the fake domains and pointed them to a server that is set up to serve an executable file. This file doesn’t do anything after being executed, but this tactic could throw researchers off track.
“The goal here seems to be to fool sandbox solutions and/or researchers into believing the malware is fully functional and downloading additional components,” Aviv Raff, CTO of Seculert, wrote in a blog post.
The first variant of the new DGA.Changer was spotted in February, but several iterations have been released since, each with different initial and fake seeds.
“The discovery of this new version of DGA.Changer highlights yet again the limitations of ‘sandbox only’ prevention approaches and the need to complement them with post-infection analytics based detection techniques,” Raff said. “In the Spy vs. Spy world of cyber-security, the adversary is continuing to adapt to current defense techniques. Those of us in the cyber-threat defense business must continue to adapt as well.”
DGA.Changer is not the only piece of malware that features a clever DGA mechanism. The DGA of the Rovnix Trojan generates command and control (C&C) domains using random words from documents such as the United States Declaration of Independence and the GNU Lesser General Public License.
The Matsnu Trojan generates 24-character domain names using a combination of nouns and verbs entered by the attacker or taken from a predefined list.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
Latest News
- Insider Q&A: Artificial Intelligence and Cybersecurity In Military Tech
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
