Matsnu Backdoor Uses RSA Crypto on Exfiltrated Data

[Karamjit]

Malware can be used to create a threat distribution network

The innards of a recently discovered malware piece have been analyzed by researchers to better understand the full extent of its functionality and the mechanisms implemented by the author(s) to protect against disruption of the operation.

Security experts at Check Point have named it Matsnu, but products from other antivirus vendors identify it as Androm backdoor (Kaspersky) or Boxed.DQH (AVG).

Stanislav Skuratovich, researcher at Check Point, says that the malware is an infector acting as a backdoor on the compromised machine. Features available include downloading files from a command and control (C&C) server and executing them.

HTTP used to deliver encrypted info to C&C

Once installed, Matsnu can gather information about the system, from user and computer name to version of the operating system, platform architecture, and data about the CPU and the graphics card.

It also checks certain registry keys to determine if it runs in a virtual environment, which could alert of a malware analysis attempt.

All the packets containing the info collected from the infected machine are encrypted using the RSA asymmetric cryptographic algorithm. This is considered at the moment the strongest type of encryption and relies on two different keys, a public one for the data encryption process, and a private, secret one for decryption.

After locking the information this way, Matsnu encodes it using the Base64 scheme and sends it to the C&C server via plain HTTP. This method prevents anyone intercepting the traffic from learning the content of the packets.

Packets received from the server, on the other hand, are encrypted with AES and a manual routine. “The AES key is generated by the client side and sent to the server using an AES=%s parameter,” the researchers say in the technical brief.

DGA mechanism increases resilience to takedowns

The report reveals that Matsnu uses a hard-coded list of domains to contact the C&C server, but it can also create new ones that are temporary via DGA (domain generation algorithm), based on two dictionaries.

This implementation allows fresh generation of several domains the cybercriminals can register and use to communicate with the infected machine. If the generation algorithm is not broken by researchers, the method can prove efficient against protection methods such as domain blacklisting, as well as against taking down the botnet.

“Domains are generated for the current day as well as the previous two days, and encrypted for later use,” Skuratovich said.

Since Matsnu can download and execute files, after infecting a significant number of computers, it can be used as a distribution solution for malware handled by other cybercriminals, a model that is common practice at the moment.

Source