Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

New Variant of Matsnu Trojan Uses Configurable DGA

The Domain Generation Algorithm (DGA) used by a new variant of the Matsnu Trojan (also known as Trustezeb) relies on an interesting technique to avoid detection by security solutions.

The Domain Generation Algorithm (DGA) used by a new variant of the Matsnu Trojan (also known as Trustezeb) relies on an interesting technique to avoid detection by security solutions.

DGAs are becoming increasingly sophisticated. One example is the DGA of the Rovnix Trojan, which generates command and control (C&C) domains by using words from the United States Declaration of Independence, the GNU Lesser General Public License, and other documents.

Researchers at security firm Seculert have been monitoring DGAs and noticed that the one used by Matsnu also employs a clever technique. Matsnu’s DGA generates 24-character domain names based on a combination of nouns and verbs (noun-verb-noun-verb). The words used by the malware can be entered by the attacker or they can be taken from a predefined list containing 878 nouns and 444 verbs.

“This is an attempt to bypass machine learning phonetic algorithms that are looking for domain names with no meaning, e.g. ldfjdiehwslgoeh.com,” Seculert CTO and Co-Founder Aviv Raff said in a blog post.

The DGA is configurable as it allows cybercriminals to set the number of domains they want to generate each day. Attackers can also specify the number of days until previously generated domain names can be reused. The Trojan also comes with a list of 10 hardcoded domain names, Seculert said. 

Once it infects a device, Matsnu uses HTTP requests to communicate with its C&C server. There are commands for obtaining a status report, gathering system information (username, computer name, version of Windows, CPU, GPU, virtual machines, language, drives, and installed security solutions), and obtaining a list of loaded processes and DLLs.

The C&C server can instruct the Trojan to perform various actions, including to remove itself, wait for new commands, update the pre-defined list of C&C domains, upgrade itself, and download and execute files. Two new commands found in this variant allow the execution of a DLL from memory by injecting it into a new instance of the svchost.exe process.

Communication between the infected host and the C&C is obfuscated, and downloaded data is encrypted and compressed, Seculert noted.

Advertisement. Scroll to continue reading.

According to researchers, the threat can notify its masters of the presence of a virtual machine by using a registry query.

Seculert says Matsnu has been using this new DGA since June 2014. The largest number of infections has been spotted in Germany (89%), but some affected devices are located in Austria and Poland. Online shopping spam messages written in German are the main distribution vector 

The security firm has sinkholed one of the servers used by Matsnu and found that roughly 9,000 bots communicate with it each day.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.