DGA Changer Malware Able to Modify Domain-Generation Seed on the Fly

Researchers have discovered that a strain of malware that may have been part of the attack in October on PHP.net is employing a DGA tactic that enables the malware to change the seed it uses to generate the random domains.

Malware authors have been using domain-generation algorithms for a few years now, often in botnet-related malware that needs to stay one step ahead of takedown attempts and law enforcement agencies. Now, researchers have discovered that a strain of malware that may have been part of the attack in October on PHP.net is employing a DGA tactic that enables the malware to change the seed it uses to generate the random domains.

The attack on PHP.net a couple of months ago involved attackers compromising the site and then serving malware to visitors, a typical drive-by download scenario. Researchers at Seculert looked at the malware used in the attack and noticed some oddities. The Javascript-based malware didn’t seem to have a clear purpose in mind once it infected users’ machines, other than downloading other malware. After looking at the malware a little more, they did find some interesting characteristics and behavior, especially its ability to contact its C2 server and get a new seed for its DGA.

Domain-generation algorithms are used by malware to generate new, random domains rapidly that the malware can use for command and control. The idea is to avoid having static C2 domains that are easy targets for security researchers and law-enforcement agencies looking to take down the command infrastructure that the attackers use to communicate with infected machines. DGAs often are seen in botnets, but have become fashionable for more mundane malware as well in recent years. After infecting a new machine, the DGA Changer malware, as Seculert has named this piece of software, sends a variety of data back to the attackers, including the OS information, the DGA seed, the version of Adobe Flash running on the machine and whether the malware is running in a virtual machine.

Aviv Raff, CTO of Seculert, said that after digging into the malware used in the PHP.net attack, it appears that the malware also uses some more conventional tactics, but likely is just the first stage of a more extensive attack.

“We have first noticed the DGA changing capability on the same day of the php.net attack. However, there might have been different variants of the this downloader without this new technique, used by the same attackers, beforehand,” Raff said.

“This is most probably a pay-per-install service, which instead of selling by region, it targets specific organizations.”

Seculert researchers said that there are DGA Changer infections around the world, but that most of them so far have been found in the United States. What the malware is going to do in the future remains to be seen, but researchers say that the ability to change the DGA seed is a good indication that there’s more to come.

“Strangely, DGA.Changer doesn’t appear to be downloading anything of value yet. In fact, the only thing it has downloaded so far is a file that…you guessed it…does absolutely nothing. Our speculation is that the adversaries behind DGA.Changer are likely selling bots on a pay-per- install basis from specific companies, and installing other malware only on their machines,” they said in a blog post.

“Why would adversaries deploy a malware which downloads nothing, on a site used by software developers, and then engineer it so that it can receive commands from a C2 server to change the DGA seed? It makes no sense – and that worrisome. Not all adversaries are geniuses, but they typically have an agenda. We have no doubt that this is only the beginning of the DGA.Changer story.”


Suggested articles


  • Mr Glass on

    Could they simply be getting their hooks into as many computers as possible and analyzing their pool of available resources for resale? Selling access depending on which companies they ended up in rather than selling access to a block of anonymous bots may serve a market niche. Different targets, and different types of (potential) data, have different values depending on who their clients are. An 'insider' just waiting to let a specific attacker in (based on approval of its C2 server) could possibly remain undetected until it serves its purpose ... and may even clean up after the attacker's lease is up.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.