Security researchers at Check Point have analyzed a recently discovered malware for better understanding the full scope of its functionality and the mechanisms enforced by the author(s) as disruption of the operation is the best protection.
Matsnu is the name given to the malware system by the security experts at Check Point. They have enclosed that it acts as a backdoor after it infiltrates a computer. Anyway, other antivirus merchants recognize it as Boxed.DQH (AVG) or Androm backdoor (Kaspersky).
Once your machine is compromised, Matsnu malware acts as a backdoor and could download files from command and control (C&C) server and execute them. It does it through DGA as this technique shields the malware from any attempts at shutting down domains, string dumping or blacklisting dumped domains. The Check Point’s experts state that analysis of this process has been a real challenge as it has various anti-disassembling features and packing techniques.
Encrypted Info Is Delivered to C&C through HTTP
When Matsnu is installed, it can gather varied information about the system. For example, it could collect user and computer name, version of the operating system, platform architecture, data about the graphics card and the CPU.
To determine whether it runs in a virtual environment or not, it also checks certain registry keys. This check could warn of malware analysis attempt.
RSA asymmetric cryptographic algorithm is the method that was used to encrypt all collected info packets from the infected machine. This algorithm relies on two different keys – public and private, and is currently considered to be the strongest type of encryption. Ransomware threats such as CryptoWall also employ RSA encryption.
The public key is used for an encryption process. The private key is the secret one and is for the process of decryption. Matsnu encrypts each packet sent by the client to the C&C server using an RSA public key and stores it in the memory. When the information is locked this way, Matsnu continues its action. It encodes info packet via Base64 scheme and sends the information as an HTTP packet content to the server. Each packet that the client receives from the C&C server is encrypted with AES and manual encryption routine.
DGA Mechanism Increases Versatility to Takedowns
The technical brief reveals that Matsnu possesses a list of hard coded domains that contact the C&C server. Experts explain that it can create new temporary domains utilizing DGA (Domain generation algorithm).This action allows cybercriminals to register, use and communicate with the infected machine.
The method can turn out effective against taking down the botnet and get in the way of protection methods if the researchers do not break the generation algorithm.
More information about the whole analysis on the so-called Matsnu is available in the technical brief provided by the Check Point researcher Skuratovich.