Security Experts:

Connect with us

Hi, what are you looking for?



New Variant of Matsnu Trojan Uses Configurable DGA

The Domain Generation Algorithm (DGA) used by a new variant of the Matsnu Trojan (also known as Trustezeb) relies on an interesting technique to avoid detection by security solutions.

The Domain Generation Algorithm (DGA) used by a new variant of the Matsnu Trojan (also known as Trustezeb) relies on an interesting technique to avoid detection by security solutions.

DGAs are becoming increasingly sophisticated. One example is the DGA of the Rovnix Trojan, which generates command and control (C&C) domains by using words from the United States Declaration of Independence, the GNU Lesser General Public License, and other documents.

Researchers at security firm Seculert have been monitoring DGAs and noticed that the one used by Matsnu also employs a clever technique. Matsnu’s DGA generates 24-character domain names based on a combination of nouns and verbs (noun-verb-noun-verb). The words used by the malware can be entered by the attacker or they can be taken from a predefined list containing 878 nouns and 444 verbs.

“This is an attempt to bypass machine learning phonetic algorithms that are looking for domain names with no meaning, e.g.,” Seculert CTO and Co-Founder Aviv Raff said in a blog post.

The DGA is configurable as it allows cybercriminals to set the number of domains they want to generate each day. Attackers can also specify the number of days until previously generated domain names can be reused. The Trojan also comes with a list of 10 hardcoded domain names, Seculert said. 

Once it infects a device, Matsnu uses HTTP requests to communicate with its C&C server. There are commands for obtaining a status report, gathering system information (username, computer name, version of Windows, CPU, GPU, virtual machines, language, drives, and installed security solutions), and obtaining a list of loaded processes and DLLs.

The C&C server can instruct the Trojan to perform various actions, including to remove itself, wait for new commands, update the pre-defined list of C&C domains, upgrade itself, and download and execute files. Two new commands found in this variant allow the execution of a DLL from memory by injecting it into a new instance of the svchost.exe process.

Communication between the infected host and the C&C is obfuscated, and downloaded data is encrypted and compressed, Seculert noted.

According to researchers, the threat can notify its masters of the presence of a virtual machine by using a registry query.

Seculert says Matsnu has been using this new DGA since June 2014. The largest number of infections has been spotted in Germany (89%), but some affected devices are located in Austria and Poland. Online shopping spam messages written in German are the main distribution vector 

The security firm has sinkholed one of the servers used by Matsnu and found that roughly 9,000 bots communicate with it each day.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.