Seculert researchers closely follow the evolution of major malware families while examining the behavioral malware profiles that are a core part of our breach analytics platform. Back in 2013 I wrote about the enhancements to the DGA.Changer malware that allowed it to change its seed which in turn allowed it to connect to a different stream of domain names.
It would now appear that someone in the DGA.Changer “development community” has been working on a new “Imitation Game” features that makes the malware even harder to detect by traditional sandboxing security solutions.
Our research team discovered that this new suite of features begins by checking to see if the malware is running in a VM by looking for specific disk artifacts in the registry. The code checks for evidence of VMWare, VirtualBox, and others (Figure 1).
Figure 1: Code that checks if the malware is running in a virtualized environment (e.g. Sandbox)
If these checks reveal that the malware is indeed running in a virtual environment, the malware alters the generation seed in order to communicate with a list of fake generated domains (Figure 2). The attackers using DGA.Changer have actually purchased some of the fake domains, and pointed them to a server. While the server returns an executable file that does nothing more than to exit right after being executed (Figure 3), the goal here seems to be to fool sandbox solutions and/or researchers into believing the malware is fully functional and downloading additional components.
Figure 2: Code that generates fake domain list, using a different generation seed
Figure 3: Server behind fake domains will respond with payloads which include useless code
First variants of the new version were identified February, 2015. Since then we’ve seen several different iterations which include different initial and fake seeds.
The discovery of this new version of DGA.Changer highlights yet again the limitations of “sandbox only” prevention approaches and the need to complement them with post-infection analytics based detection techniques. In the Spy vs. Spy world of cyber-security, the adversary is continuing to adapt to current defense techniques. Those of us in the cyber-threat defense business must continue to adapt as well.
Here are some MD5 hashes of the new variants:
6e9d7d63ca9ada5aa7aa8fa5a129e659
5e6117f15bc4abfc39106c87f6b66bc6
Contributing researchers: Yevgeny Kulakov and Adi Raff