Security Experts:

New Variant of Matsnu Trojan Uses Configurable DGA

The Domain Generation Algorithm (DGA) used by a new variant of the Matsnu Trojan (also known as Trustezeb) relies on an interesting technique to avoid detection by security solutions.

DGAs are becoming increasingly sophisticated. One example is the DGA of the Rovnix Trojan, which generates command and control (C&C) domains by using words from the United States Declaration of Independence, the GNU Lesser General Public License, and other documents.

Researchers at security firm Seculert have been monitoring DGAs and noticed that the one used by Matsnu also employs a clever technique. Matsnu's DGA generates 24-character domain names based on a combination of nouns and verbs (noun-verb-noun-verb). The words used by the malware can be entered by the attacker or they can be taken from a predefined list containing 878 nouns and 444 verbs.

"This is an attempt to bypass machine learning phonetic algorithms that are looking for domain names with no meaning, e.g. ldfjdiehwslgoeh.com," Seculert CTO and Co-Founder Aviv Raff said in a blog post.

The DGA is configurable as it allows cybercriminals to set the number of domains they want to generate each day. Attackers can also specify the number of days until previously generated domain names can be reused. The Trojan also comes with a list of 10 hardcoded domain names, Seculert said. 

Once it infects a device, Matsnu uses HTTP requests to communicate with its C&C server. There are commands for obtaining a status report, gathering system information (username, computer name, version of Windows, CPU, GPU, virtual machines, language, drives, and installed security solutions), and obtaining a list of loaded processes and DLLs.

The C&C server can instruct the Trojan to perform various actions, including to remove itself, wait for new commands, update the pre-defined list of C&C domains, upgrade itself, and download and execute files. Two new commands found in this variant allow the execution of a DLL from memory by injecting it into a new instance of the svchost.exe process.

Communication between the infected host and the C&C is obfuscated, and downloaded data is encrypted and compressed, Seculert noted.

According to researchers, the threat can notify its masters of the presence of a virtual machine by using a registry query.

Seculert says Matsnu has been using this new DGA since June 2014. The largest number of infections has been spotted in Germany (89%), but some affected devices are located in Austria and Poland. Online shopping spam messages written in German are the main distribution vector 

The security firm has sinkholed one of the servers used by Matsnu and found that roughly 9,000 bots communicate with it each day.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.