Trojan Variant Uses Grammar Tool

Monday, December 1, 2014 @ 02:12 PM gHale

The Domain Generation Algorithm (DGA) used by a new variant of the Matsnu Trojan relies on a bit of grammar to avoid detection.

The DGA used by Matsnu, also known as Trustezeb, generates 24-character domain names based on a combination of nouns and verbs (noun-verb-noun-verb), said researchers at security firm Seculert.

RELATED STORIES
Updated Malware Boosts Espionage Tool
RAT Hides and then Attacks
Gmail Draft Messages Steal Data
Tool to Spy on Bad Guys

The words used by the malware can end up entered by the attacker or they can come from a predefined list containing 878 nouns and 444 verbs.

“This is an attempt to bypass machine learning phonetic algorithms that are looking for domain names with no meaning, e.g. ldfjdiehwslgoeh.com,” Seculert CTO and Co-Founder Aviv Raff said in a blog post.

The DGA is configurable as it allows bad guys to set the number of domains they want to generate each day. Attackers can also specify the number of days until previously generated domain names can end up reused. The Trojan also comes with a list of 10 hardcoded domain names, Seculert researchers said.

Once it infects a device, Matsnu uses HTTP requests to communicate with its C&C server. There are commands for obtaining a status report, gathering system information (username, computer name, version of Windows, CPU, GPU, virtual machines, language, drives, and installed security solutions), and obtaining a list of loaded processes and DLLs.

The C&C server can instruct the Trojan to perform various actions, including to remove itself, wait for new commands, update the pre-defined list of C&C domains, upgrade itself, and download and execute files. Two new commands found in this variant allow the execution of a DLL from memory by injecting it into a new instance of the svchost.exe process.

Communication between the infected host and the C&C ends up obfuscated, and downloaded compresses and ends up encrypted, Seculert researchers said.

The threat can notify its masters of the presence of a virtual machine by using a registry query, researchers said.

Matsnu has been using this new DGA since June, Seculert researchers said. The largest number of infections have been in Germany (89 percent), but some affected devices are in Austria and Poland. Online shopping spam messages written in German are the main distribution vector.

The security firm sinkholed one of the servers used by Matsnu and found that roughly 9,000 bots communicate with it each day.



Leave a Reply

You must be logged in to post a comment.