Matsnu: A Deep Dive

Check Point researcher Stanislav Skuratovich recently analyzed a malware called “Matsnu”, an x86 infector that acts as a backdoor after it infiltrates a computer system. This malware is able to upload and execute any code on the infected system. This uploaded code could potentially encrypt files on disc or steal sensitive data.

The malware author(s) used a technique called DGA (Domain Generation Algorithm) to communicate with the C&C server, protecting the malware image from any attempted string dumping, blacklisting dumped domains, or shutting down domains. DGA makes blocking malicious network activities more difficult, because new domains are generated for specified amounts of time. Matsnu has a number of anti-disassembling features and packing techniques which make the analysis process more challenging.

To generate domains, the malware uses two predefined dictionaries, a few constants and variables, and the number of days since the epoch. Domains are generated for the current day as well as the previous two days, and encrypted for later use. The malware tries to connect the hardcoded domains and the domains generated for the current and previous two days.

For a full analysis of the Matsu malware, please view the full report here.