Researchers Intercepted a New Backdoor Called ‘Matsnu’

Blog.checkpoint.com reported on 2nd July, 2015 stating that researcher at security firm Check Point, Stanislav Skuratovich recently discovered a new malware known as "Matsnu" which is an infector which acts like a backdoor after it infiltrates a computer system.

This malware (referring to Matsnu) could possibly upload and execute any types of file on a system which will allow the attacker to execute files and encrypt files on disc or steal sensitive data.

Authors of the malware used a technique called DGA (Domain Generation Algorithm) to communicate with C&C server which protects the image of the malware from any attempted string dumping, blacklisting dumped domains or shutting down of domains. DGA makes blocking of activities related to network more difficult because new domains are generated for specified time period. Matsnu has many anti-disassembling features and packing techniques which make the process of analysis more challenging.

The malware uses two predefined dictionaries such as few constants and variables to generate domains and the number of days since the epoch. Domains are created for the present day along with two previous days and encrypted for use at later stage.

Matsnu after installation can collect information about the computer ranging from user and name of the computer to the edition of the system of the computer, platform architecture, data of CPU and graphics card.

It also confirms certain registry keys to verify if it can run in a virtual atmosphere which can alert about an attempt of malware analysis.

All the packets holding information collected from the maligned machine are encrypted with the use of RSA asymmetric cryptographic algorithm. This is regarded as strongest kind of encryption at the moment and depends on two unlike keys, one 'public' for data encryption process and other private for decryption.

After fastening the data in this manner, Matsnu encodes it with Base64 and tosses it to the C&C server through plain HTTP. This method averts anyone interrupting the traffic from knowing the packets content.

Alternatively, server received packets, are encrypted with AES (Advanced Encryption Standard) as a manual routine.

Interestingly, Kaspersky identifies Matsnu as Androm backdoor and other antivirus firms recognize it as Boxed.DQH (AVG).

» SPAMfighter News - 7/17/2015