On October 24, adversaries hacked php.net and deployed an exploit kit, which served five different malware types. While the attack received extensive coverage, little is known about the malware and the stories behind them.
As you may be aware, “little known” is a state that irks the experts in Seculert’s Research Lab. So, we decided to dig deeper — and our efforts have revealed something rather strange and disturbing about one of the malware types, which we have dubbed “DGA.Changer”.
DGA.Changer is currently classified as pure Downloader, in that its sole purpose is to download other malware onto infected systems. So far, we have tracked 6,500 unique IPs communicating with DGA.Changer Command & Control (C2) servers. And while it is a global campaign, over half of the targets are in the US.
Figure 1: Geographic breakdown of machines infected by DGA.Changer
Strange Days Indeed
We also discovered that DGA.Changer uses an infinite Domain Generation Algorithm (DGA), but with a twist that we haven’t seen before: the bot can receive a command from the C2 server to actually change the DGA seed.
Why would adversaries take this approach? Once the bots receive a command to update their seed, each of them can connect to a different stream of domain names. As a result, they’re extremely difficult to detect by traditional security methods (i.e. those that only use a sandbox), since the initial sample will reveal the domain name streams before the change — which no longer resolve to the C2 server.
Figure 2: Malware code describing DGA configuration change
Thanks for Nothing?
Strangely, DGA.Changer doesn’t appear to be downloading anything of value yet. In fact, the only thing it has downloaded so far is a file that…you guessed it…does absolutely nothing. Our speculation is that the adversaries behind DGA.Changer are likely selling bots on a pay-per-install basis from specific companies, and installing other malware only on their machines.
It’s Not Entirely Odd
At the same time, DGA.Changer is exhibiting some behavior that is on the more conventional and predictable side. After downloading onto a machine, it sends the following data back to the C2:
- DGA seed and index
- OS information (e.g. number of processors, build number, etc.)
- Adobe Flash version information
- The results of a virtual machine test
DGA.Changer also has the following available commands:
- Change User Agent and connection configuration
- Download update
- Run executable
- Change DGA settings
What’s more, DGA.Changer appears to be a work-in-progress, since we have already seen a new variant of this malware (which we also monitor) with some code modification.
No News is Bad News
Our analysis at this point is that “no news is bad news”. Why would adversaries deploy a malware which downloads nothing, on a site used by software developers, and then engineer it so that it can receive commands from a C2 server to change the DGA seed? It makes no sense – and that worrisome. Not all adversaries are geniuses, but they typically have an agenda.
We have no doubt that this is only the beginning of the DGA.Changer story. We will keep monitoring and publish updates accordingly.
The following MD5s are of DGA.Changer variants: